June 2016 Security Updates for Exchange Server (MS16-079) – KB3150501
Microsoft has released a security bulletin in June 2016 which includes updates for all supported versions of Microsoft Exchange Server which are rated as Significant.
The first update is an information disclosure bug which is affecting Exchange 2013 and 2016:
An email Filter bypass occurs where Microsoft Exchange analyzes the HTML messages; this could allow an information disclosure. An attacker can exploited the vulnerability could identify, fingerprint, and track a user online, if the user is accessing messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to magnify the attack.
To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The update corrects the way that Exchange parses HTML messages.
You can read more about the vulnerabilities and download the patches here.
Note: Supported Exchange versions are:
Exchange Server 2007 SP3
Exchange Server 2010 SP3
Exchange Server 2013 SP1 (CU4), CU11, and CU12 – side note, if you’re still running SP1/CU4, yes you’re technically still supported, but please update
Exchange Server 2016 RTM and CU1
These security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without notice or sifting, from the attacker-controlled URL.
The security update addresses the vulnerabilities by changing the way that Microsoft Exchange analyzes HTML messages.
This update also comprises a fix for stack buffer overflows in Oracle outside in libraries that are related to all supported versions of Microsoft Exchange.
Currently there is no justification for this attack. Normally there will be a quarterly update measure for Microsoft Exchange, we can expect a set of security updates in the coming release of cumulative updates and update rollups this month.
Microsoft MVP | Exchange Server