Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0702 Microsoft Security Advisory (2737111) Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution 25 July 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Exchange Server FAST Search Server 2010 for SharePoint Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2012-3110 CVE-2012-3109 CVE-2012-3108 CVE-2012-3107 CVE-2012-3106 CVE-2012-1773 CVE-2012-1772 CVE-2012-1771 CVE-2012-1770 CVE-2012-1769 CVE-2012-1768 CVE-2012-1767 CVE-2012-1766 Reference: ASB-2012.0103 Original Bulletin: http://technet.microsoft.com/en-us/security/advisory/2737111 Comment: While Microsoft has not yet provided a patch to correct these issues, two workarounds have been provided in this advisory. - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Advisory (2737111) Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution Published: Tuesday, July 24, 2012 Version: 1.0 General Information Executive Summary Microsoft is investigating new public reports of vulnerabilities in third-party code, Oracle Outside In libraries, that affect Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint, which ship that component. Customers that apply the workarounds described in this advisory are not exposed to the vulnerabilities described in Oracle Critical Patch Update Advisory - July 2012. The vulnerabilities exist due to the way that files are parsed by the third- party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Mitigating Factors: * The transcoding service in Exchange that uses the Oracle Outside In libraries is running in LocalService account. * Microsoft SharePoint Server is only affected by this issue when FAST Search with Advanced Filter Pack is enabled. By default, Advanced Filter Pack in FAST is disabled. When Advanced Filter Pack is enabled, the component that uses the Oracle Outside In libraries is running with a restricted token. Recommendation. Please see the Suggested Actions section of this advisory for more information. Advisory Details Issue References For more information about this issue, see the following references: References Identification Oracle Advisory Oracle Critical Patch Update Advisory - July 2012 CERT Reference VU#118913 CVE Reference CVE-2012-1766 CVE-2012-1767 CVE-2012-1768 CVE-2012-1769 CVE-2012-1770 CVE-2012-1771 CVE-2012-1772 CVE-2012-1773 CVE-2012-3106 CVE-2012-3107 CVE-2012-3108 CVE-2012-3109 CVE-2012-3110 Affected Software Microsoft Exchange Server 2007 Service Pack 3 Microsoft Exchange Server 2010 Service Pack 1 Microsoft Exchange Server 2010 Service Pack 2 Microsoft SharePoint Server 2010 Service Pack 1[1] FAST Search Server 2010 for SharePoint [1]Microsoft SharePoint Server is only affected by this issue when FAST Search with Advanced Filter Pack is enabled. By default, Advanced Filter Pack in FAST is disabled. When Advanced Filter Pack is enabled, the component that uses the Oracle Outside In libraries is running with a restricted token. Suggested Actions Apply Workarounds Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. See the next section, Workarounds, for more information. Workarounds Disable transcoding service 1. Log in to the Exchange Management Shell as an Exchange Organization Administrator. 2. Issue the following PowerShell command: Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False Impact of workaround. OWA users may not be able to preview the content of email attachments. Disable the Advanced Filter Pack On the FAST Search Server 2010 for SharePoint administration server (or single server), perform these steps: 1. On the Start menu, click All Programs. 2. Click Microsoft FAST Search Server 2010 for SharePoint. 3. Right-click Microsoft FAST Search Server 2010 for SharePoint shell and select Run as administrator. 4. At the command prompt, browse to installer\scripts under the installation folder. 5. Type the following command: .\AdvancedFilterPack.ps1 -disable - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUA+Yve4yVqjM2NGpAQILsg//YkMe/PAroF1ZDe7e7PEva2vmyHTST9AF +fG1TjLgb+Ies6nYiw9vXZ174WvPPmCi+TKrN09EYcBzvUXgaVElkEphnCt8dgy/ EBwNkSibwWjrnBal2pYtswESLWGFsJvW77/hK2MVptlZGBorCNXY7fVXFbdEXQPc GpssZymPjX0aQgbeoA7eU3++swe/pDvrdH7lcMShJnZ5llbHkmGvlrF1fg1+HEHE T4zBIOe5BaHeZnHOCVrJ+09xRW/QAb9dvEGAQjo7FPglApMmgWpZqoRTckcMYdNm PoQGBsGCJJiXFNPQv4PRdFVuR1RlZE8aH+4Tis1o6CoQQGug5K7H1dkpwgNvZ2UO uRGNTmTvra9lH8+D0OAK+fEHX7OCZvQYF/xwd7GjCASJNzrnKFSGLHY/biJ7iDTq XeNBj0dzbeT/98P3z9HVEVThIcIvKt1Giv62P8Ou8zkpQwpfFFxjGS0q8MUQK5Vw c35NzC4P99VOFYrVDAJE+NbnFcbH2IWD2N28Foe6LReUQ3nvyfmzeBiBtdg2pJk0 uPXdkIori2oO7kY2FxyaUZ3Ovo7feDhA6t7JVQtpWi9E4ciH1pNsROU3rah6F3EF ICPCARPdZNuedJ40JMrjm04Gh2UpG/ueD64757X3UT7XS9c1fKJnxveJr7rw3Ht5 Tqo5zoDHdqo= =Ki0A -----END PGP SIGNATURE-----