Microsoft Security Bulletin MS16-079 - Important
Security Update for Microsoft Exchange Server (3160339)
Published: June 14, 2016
Version: 1.0
Executive Summary
This security update resolves vulnerabilites in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.
This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages. For more information about the vulnerabilities, see the Vulnerability Information section.
For more information about this update, see Microsoft Knowledge Base Article 3160339.
Affected Software and Vulnerability Severity Ratings
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.
**Microsoft Server Software** | [**Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028**](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0028) | [**Oracle Outside In Libraries Elevation of Privilege Vulnerabilities: CVE-2015-6013 CVE-2015-6014 CVE-2015-6015**](http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html) | **Updates Replaced\*** |
**Microsoft Exchange Server 2007** | |||
[Microsoft Exchange Server 2007 Service Pack 3](https://www.microsoft.com/download/details.aspx?familyid=96460a5b-8823-4e1a-9a6d-faccd320b6af) (3151086) | Not applicable | **Important** Elevation of Privilege | 2996150 in [MS14-075](http://go.microsoft.com/fwlink/?linkid=518104) |
**Microsoft Exchange Server 2010** | |||
[Microsoft Exchange Server 2010 Service Pack 3](https://www.microsoft.com/download/details.aspx?familyid=270226a4-b37a-43ae-b31a-4b704c9680ac) (3151097) | Not applicable | **Important** Elevation of Privilege | 2986475 in [MS14-075](http://go.microsoft.com/fwlink/?linkid=518104) |
**Microsoft Exchange Server 2013** | |||
[Microsoft Exchange Server 2013 Service Pack 1](https://www.microsoft.com/download/details.aspx?familyid=ee45c575-dba5-42dd-b60d-29b594deb7cf) (3150501) | **Important** Information Disclosure | **Important** Elevation of Privilege | 3124557 in [MS16-010](http://go.microsoft.com/fwlink/?linkid=717997) |
[Microsoft Exchange Server 2013 Cumulative Update 11](https://www.microsoft.com/download/details.aspx?familyid=b737f3a4-4884-4437-ace2-ca2916f92f4a) (3150501) | **Important** Information Disclosure | **Important** Elevation of Privilege | 3124557 in [MS16-010](http://go.microsoft.com/fwlink/?linkid=717997) |
[Microsoft Exchange Server 2013 Cumulative Update 12](https://www.microsoft.com/download/details.aspx?familyid=ef780360-98a9-4e40-9b7c-32ebfb2e5e7e) (3150501) | **Important** Information Disclosure | **Important** Elevation of Privilege | None |
**Microsoft Exchange Server 2016** | |||
[Microsoft Exchange Server 2016](https://www.microsoft.com/download/details.aspx?familyid=9dba26d3-2404-4f1c-a69a-a18b896a45a8) (3150501) | **Important** Information Disclosure | **Important** Elevation of Privilege | 3124557 in [MS16-010](http://go.microsoft.com/fwlink/?linkid=717997) |
[Microsoft Exchange Server 2016 Cumulative Update 1](https://www.microsoft.com/download/details.aspx?familyid=307d684c-21d8-4483-8f49-702b00ad36fa) (3150501) | **Important** Information Disclosure | **Important** Elevation of Privilege | None |
Update FAQ
Why is Microsoft issuing a security update for vulnerabilities that are in third-party code, Oracle Outside In libraries? Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities. For more information about these vulnerabilities, see Oracle Critical Patch Update Advisory - January 2016.
Do these updates contain any additional security-related changes to functionality?
The updates listed in the Affected Software and Vulnerability Severity Ratings table include defense-in-depth updates to help improve security-related features, in addition to the changes that are listed for the vulnerability described in this bulletin.
Vulnerability Information
Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028
An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure. An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.
To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The update corrects the way that Exchange parses HTML messages.
The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title | CVE number | Publicly disclosed | Exploited |
Microsoft Exchange Information Disclosure Vulnerability | CVE-2016-0028 | No | No |