Microsoft Security Bulletin MS16-079 - Important

  • 4 minutes to read

Security Update for Microsoft Exchange Server (3160339)

Published: June 14, 2016

Version: 1.0

Executive Summary

This security update resolves vulnerabilites in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016. For more information, see the Affected Software and Vulnerability Severity Ratings section.

The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3160339.

Affected Software and Vulnerability Severity Ratings

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.

**Microsoft Server Software** [**Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028**](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0028) [**Oracle Outside In Libraries Elevation of Privilege Vulnerabilities: CVE-2015-6013 CVE-2015-6014 CVE-2015-6015**](http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html) **Updates Replaced\***
**Microsoft Exchange Server 2007**
[Microsoft Exchange Server 2007 Service Pack 3](http://www.microsoft.com/downloads/details.aspx?familyid=96460a5b-8823-4e1a-9a6d-faccd320b6af) (3151086) Not applicable **Important**  Elevation of Privilege 2996150 in [MS14-075](http://go.microsoft.com/fwlink/?linkid=518104)
**Microsoft Exchange Server 2010**
[Microsoft Exchange Server 2010 Service Pack 3](http://www.microsoft.com/downloads/details.aspx?familyid=270226a4-b37a-43ae-b31a-4b704c9680ac) (3151097) Not applicable **Important**  Elevation of Privilege 2986475 in [MS14-075](http://go.microsoft.com/fwlink/?linkid=518104)
**Microsoft Exchange Server 2013**
[Microsoft Exchange Server 2013 Service Pack 1](http://www.microsoft.com/downloads/details.aspx?familyid=ee45c575-dba5-42dd-b60d-29b594deb7cf) (3150501) **Important**  Information Disclosure **Important**  Elevation of Privilege 3124557 in [MS16-010](http://go.microsoft.com/fwlink/?linkid=717997)
[Microsoft Exchange Server 2013 Cumulative Update 11](http://www.microsoft.com/downloads/details.aspx?familyid=b737f3a4-4884-4437-ace2-ca2916f92f4a) (3150501) **Important**  Information Disclosure **Important**  Elevation of Privilege 3124557 in [MS16-010](http://go.microsoft.com/fwlink/?linkid=717997)
[Microsoft Exchange Server 2013 Cumulative Update 12](http://www.microsoft.com/downloads/details.aspx?familyid=ef780360-98a9-4e40-9b7c-32ebfb2e5e7e) (3150501) **Important**  Information Disclosure **Important**  Elevation of Privilege None
**Microsoft Exchange Server 2016**
[Microsoft Exchange Server 2016](http://www.microsoft.com/downloads/details.aspx?familyid=9dba26d3-2404-4f1c-a69a-a18b896a45a8) (3150501) **Important**  Information Disclosure **Important**  Elevation of Privilege 3124557 in [MS16-010](http://go.microsoft.com/fwlink/?linkid=717997)
[Microsoft Exchange Server 2016 Cumulative Update 1](http://www.microsoft.com/downloads/details.aspx?familyid=307d684c-21d8-4483-8f49-702b00ad36fa) (3150501) **Important**  Information Disclosure **Important**  Elevation of Privilege None
\*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the [Microsoft Update Catalog](http://catalog.update.microsoft.com/v7/site/home.aspx), search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

Update FAQ

Why is Microsoft issuing a security update for vulnerabilities that are in third-party code, Oracle Outside In libraries?  Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities. For more information about these vulnerabilities, see Oracle Critical Patch Update Advisory - January 2016.

Do these updates contain any additional security-related changes to functionality?
The updates listed in the Affected Software and Vulnerability Severity Ratings table include defense-in-depth updates to help improve security-related features, in addition to the changes that are listed for the vulnerability described in this bulletin.

Vulnerability Information

Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028

An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure. An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.

To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The update corrects the way that Exchange parses HTML messages.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Exchange Information Disclosure Vulnerability CVE-2016-0028 No No
### Mitigating Factors Microsoft has not identified any [mitigating factors](https://technet.microsoft.com/library/security/dn848375.aspx) for this vulnerability. ### Workarounds Microsoft has not identified any [workarounds](https://technet.microsoft.com/library/security/dn848375.aspx) for this vulnerability. Oracle Outside In Libraries Elevation of Privilege Vulnerabilities ------------------------------------------------------------------ This security update addresses the following vulnerabilities, which are described in [Oracle Critical Patch Update Advisory - January 2016](http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html): - CVE-2015-6013: Oracle Outside In 8.5.2 WK4 stack buffer overflow - CVE-2015-6014: Oracle Outside In 8.5.2 DOC stack buffer overflow - CVE-2015-6015: Oracle OIT 8.5.2 Paradox DB stack buffer overflow Security Update Deployment -------------------------- For Security Update Deployment information, see the Microsoft Knowledge Base article referenced [here](#kbarticle) in the Executive Summary. Acknowledgments --------------- Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See [Acknowledgments](https://technet.microsoft.com/library/security/mt674627.aspx) for more information. Disclaimer ---------- The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions --------- - V1.0 (June 14, 2016): Bulletin published. *Page generated 2016-06-08 10:44-07:00.*