Update now - no I mean it, NOW
Though I'm known for keeping a level head during these kinds of scenarios, there is an emerging vulnerability in both Exchange Server and Internet Explorer that you'll have to address immediately to keep your enterprise safe. I wish I was kidding, but no, it's true.
The long and short of it is that specially crafted messages could be sent to an Exchange server that - even if only previewed by a user - can allow an attacker to take control of the Exchange server itself with full Exchange Admin privileges. The details can be found at this link, but I'll summarize here.
If an attacker crafts a message in certain ways via TNEF (Transport Neutral Encapsulation Format), and that message is then either previewed or opened by an end-user (which is the point of email after all), then the attacker can gain elevated privileges on the Exchange server and wreak havoc. While that sounds like a major problem, there is good news. The attack would require a sophisticated attacker creating just the right message and then finding a live mailbox to send it to. Not only that, but it would need to get past the SPAM and CAPTCHA systems if you use them. Finally, eventually the anti-virus vendors will jump in as well, scanning for messages crafted with the exploit.
The really bad news is that end-users do NOT have to open an attachment this time. They can unwittingly infect the mail servers by previewing the message body or opening the message itself. Since Outlook clients and now even Outlook Web Access both Auto-Preview by default, end-users can follow all best-practice safety protocols and still end up infecting the organization through no fault of their own. Add to this that some anti-virus tools may use MAPI viewers to scan mail, which means that the system designed to shield you could accidentally infect you instead. The same goes for backup agents that use MAPI clients to do brick-level backups.
There is one more bit of scariness to be told, though information on this last peice is more sketchy than the other exploit vectors. It would appear that the TNEF message may not need to be even previewed by an end user, but could in fact attack a server just be being received by the server itself. Even until we know more for sure on this last point, I think the previous points - which are verified by this author and others - are bad enough that you should jump on this right now.
Microsoft has released a patch - also available via this same link, under "Security Update Deployment" and so you can protect yourself and your organization. I strongly urge you all to do this immediately, and to have your end-users run Windows Update (Start|Windows Update on Vista, Microsoft Windows Update Online for everyone else) to get critical Internet Explorer patches as well.
Now, this is not only your Exchange server that you are protecting. If an attacker gains privileges on your mail server, they can use it as a launching pad for attacking other servers with the same exploit or any other they'd care to try. That means that if you don't patch your systems, you could inadvertently be responsible for attacks against other servers all over the net.
And so, I am asking my readers to protect the community at large as much as they can, by spending the time necessary to download and install the appropriate patches. Yes, this will mean a maintenance window for a reboot. Yes, it's annoying that we've gotten hit with yet another critical vulnerability. But, yes, it is our responsibility to make sure that the attacks stop at our own borders, and that our own mail servers do not become the launching point for the next Code Red.
Labels: Exchange, Exchange 2000, Exchange 2003, Exchange 2007, Outlook, Outlook Anywhere, OWA, Security
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home