Menu
Microsoft warns of critical Oracle code bugs in Exchange

Microsoft warns of critical Oracle code bugs in Exchange

Promises Exchange 2007, Exchange 2010 updates; offers temporary fix

Microsoft last week warned IT administrators that critical vulnerabilities in code licensed from Oracle could give attackers access to Exchange Server 2007 and Exchange Server 2010 systems.

Oracle patched the vulnerabilities in its "Oracle Outside In" code libraries as part of a massive update on July 17 that fixed nearly 90 flaws in its database software.

Exchange, as well as Microsoft's FAST Search Server 2010 for SharePoint, use the Oracle Outside In libraries to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. The vulnerabilities are within the code that parses those attachments.

"An attacker who successfully exploited these vulnerabilities could run arbitrary code under the process that is performing the parsing of the specially crafted files," said Microsoft in the security advisory it issued a week ago.

A successful exploit of an Exchange server would let hackers "install programs; view, change, or delete data; or take any other action that the server process has access to do."

Microsoft downplayed the threat, saying elsewhere that it was unaware of any active, in-the-wild exploits.

In the absence of an immediate patch -- Microsoft said it is working on an update, but gave no release timetable -- the company's Security Research & Defense blog and the advisory recommended that IT administrators temporarily disable those Exchange Server and FAST Search Server features that relied on the Oracle Outside In libraries.

"You need to evaluate the risk and determine if it's necessary to implement the mitigations," said Andrew Storms, director of security operations at nCircle Security, in an interview last week. "Meanwhile, the security guys sit and watch attack telemetry and hope Microsoft releases a fix soon."

Microsoft rarely issues an emergency update -- dubbed "out-of-band" or "out-of-cycle" -- that departs from its normal once-a-month schedule. Among the criteria it uses: Whether there are attacks circulating that exploit a vulnerability, and if so, whether the volume of those attacks reaches a threshold that Microsoft doesn't disclose.

The last time Microsoft released an out-of-band update was at the end of 2011, when it rushed a fix for a flaw that could have been used by hackers to cripple Web servers.

The company's next regularly-scheduled security updates will ship Tuesday, Aug. 14.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments