Microsoft Security Advisory 2737111 and Microsoft Exchange


8/14/2012: We have released updates to address the vulnerability mentioned in this post. See Microsoft Security Bulletin MS12-058 – Critical.

Yesterday Microsoft Security Research Center issued Microsoft Security Advisory (2737111) – Microsoft is investigating new public reports of vulnerabilities in third-party code, Oracle Outside In libraries, that affect Web-ready document viewing in Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. We recommend that customers apply the workarounds described in this advisory so you are not exposed to the vulnerabilities described in Oracle Critical Patch Update Advisory – July 2012.

The reported vulnerability that’s being investigated impacts web-ready document viewing in Exchange 2010/Exchange 2007. Web-ready document viewing is a feature that allows Outlook Web App users to view supported attachments in an email without having to download them to a computer and using locally-installed applications to view them.

For more information, see Microsoft Security Advisory (2737111) and More information on Security Advisory 2737111 on the Microsoft Security Research & Defense blog.

Bharat Suneja

Comments (24)
  1. pesospesos says:

    Yikes.  Advisory link isn't working yet, but I assume since we always disable webreadydocviewing on our CAS servers we're in the clear.

  2. Bharat Suneja [MSFT] says:

    @pesos: Thanks for catching that, links updated. The workaround, as documented in the advisory, is in fact to disable web-ready document viewing.

  3. davebreese@hotmail.com says:

    Is there a timeframe as to when a hotfix will be released?  Web Ready Doc viewing is a very useful feature we'd like to turn back on as soon as possible.  Especially for the Linux/Mac end-user population.

  4. Bharat Suneja [MSFT] says:

    @Breese: We don't have an ETA at the moment. We'll update as more information is available.

  5. vixster says:

    Microsoft Exchange stinks – I have begged out IT guy to replace asap.  We are overwhelmed by junk!!!  I also have lost a ton of my e-mail history.

  6. NeillT says:

    @vixster

    If so your e-mail people haven't got Exchange configured properly or are the using the wrong 3rd party add-ons for messaging hygiene.

  7. Sam Kapoor says:

    Obviously you should've replaced your IT guy instead! Running Exchange for more than a decade with no data loss.

  8. Exchange Admin says:

    In our environment the command needed to be modified to disable this on Exchange 2007 servers versus Exchange 2010 servers.   Exchange 2010 EMS can't modify Exchange 2007 resources.

    Also, our Exchange 2007 servers made the change instantly and the [Open as Web Page] is no longer displaying.  Our Exchange 2010 servers have not made the change so my suspision is a IISRESET is required.  Anyone know how this works, if I don't have to kick everyone off of web services I would prefer it.

  9. DusySport says:

    @Exchange Admin

    We disabled WebReady viewing on our Exchange 2010 servers today and did not need to perform an IISreset.  I would run Get-OWAVirtualDirectory | Select Name,WebReadyDocumentViewingonPublicComputersEnabled,WebReadyDocumentViewingonPrivateComputersEnabled   to make sure it is truly disabled on all servers.

    Hope this helps.

  10. @Dusty08 says:

    The output shows it set to FALSE on all servers.

  11. DusySport says:

    The related Technet article does not say any additional work is needed (technet.microsoft.com/…/aa995967.aspx).  I might try a different browser or workstation to see if it still acts as if it is enabled.  You can also use the Technet article to check this with the EMC (although this will probably show exactly what the management shell displays).

  12. Exchange Admin says:

    Our Exchange 2010 servers now are reflecting the change with out a IISRESET.

    I'll 2nd the question about a time frame for a fix?

  13. thomas says:

    Workaround works good for us without iisreset.

    trying to open documents in the browser now brings a message:

    the WebReady Document Viewing-service was disabled and so on…

    so its ok for us.

  14. Karsten says:

    In the Advisory you specify some powershell code to disable the web-ready document viewing.

    In Exchange 2010 in the Exchange Management Console I found the option to disable web-ready documentviewing on the following place:

    Organsitaionconfiguration | Clientaccessconfiguration | Outlook Web App Mailboxpolicies | default on the tab Fileaccess (pub/priv)

    Is this the same?

  15. Magnus Bjork says:

    @Karsten Yes it's the same, if you have mutiple servers don't forget to repeat the steps for each server.

  16. Magnus Bjork says:

    If OWA Mailbox policys are assigned to users one more step is also needed, described in mailmaster.se/blog

  17. Karsten says:

    @Magnus Bjork: Thanks for your reply. The place I mentioned was not exactly the right place – webready worked althought I made the setting.

    I Addidiontaly made the setting for each server on the following place and it worked:

    Serverkonfiguration | Clientaccess | Outlook Web App | owa (Default Web Site)

  18. Bharat Suneja [MSFT] says:

    @Karsten: You can use the Shell to quickly disable on OWA virtual directory on multiple servers.

    @Magnus: Yes, this needs to be disabled in any OWA policies as well (including the default OWA policy). An OWA policy is not applied to users by default.

  19. R2D2 says:

    will OWA-publishing with TMG-2010  prevent such attacks? This could be prevented by the NIS-Protection, couldn´t be? Any comment about this constellation is appreciated…

  20. Karsten says:

    @Bharat: Thanks – but as the powesehll way is the way the Advisory sugests I have seen this.

    But I wasn't shure if I could make the change "un"-done in case MS has solved the problem with webready document viewing with powershell. Thats a lot easier with the gui.

  21. Bharat Suneja [MSFT] says:

    @Karsten: Certainly easier with the GUI. Use the tool you're most comfortable with.

    To undo from the Shell, simply set the same parameters in OWAVdir (and any OWA policies) to $true.

  22. zustem says:

    I disabled web ready document viewing in the EMC Gui. But when I checked EMS, only the WebReadyDocumentViewingonPublicComputersEnabled was set to False. It was still true for Private Computers.

    Better to use the shell command provided in the advisory to disable for both Public and Private computers. Waiting for a fix from MS, its functionality that users rather like.

  23. Me says:

    Does anyone know if this vulnerability affects Exchange 2007 SP2?

  24. Bharat Suneja [MSFT] says:

    @Me: Please see Microsoft Product Lifecycle for Exchange Server:

    http://aka.ms/ex2007support

    Exchange 2007 SP2 is past its end date for support for more than a year now. You must upgrade to SP3.

Comments are closed.