The June 2016 security bulletin includes updates for all supported versions of Microsoft Exchange Server that are rated Important. The first update is an information disclosure bug affecting Exchange 2013 and 2016:
An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure. An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.
To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The update corrects the way that Exchange parses HTML messages.
The update also includes a fix for stack buffer overflows in Oracle Outside In libraries that applies to all supported versions of Exchange.
You can read more about the vulnerabilities and download the patches here.
Note that at present the supported versions of Exchange are:
- Exchange Server 2007 SP3
- Exchange Server 2010 SP3
- Exchange Server 2013 SP1 (CU4), CU11, and CU12 – side note, if you’re still running SP1/CU4, yes you’re technically still supported, but please update
- Exchange Server 2016 RTM and CU1
There is no mitigation for this attack at present. The next set of cumulative updates and update rollups will no doubt include this security update in them. Given the normal three-monthly update cadence for Exchange, we can expect to see new cumulative updates and update rollups this month. In that case, you can plan to deploy the Important update now, or plan to deploy it as part of the next update release.