December 2014 security update for Exchange Server 2013 Service Pack 1 and Cumulative Update 6

ID KB3011140
Type mskb
Reporter Microsoft
Modified 2020-04-21T03:36:39


<html><body><p>This article describes a security update that resolves privately reported vulnerabilities in Microsoft Exchange Server 2013 SP1.</p><h2>Symptoms</h2><div class="kb-symptoms-section section"><h3 class="sbody-h3">Symptoms 1: Outlook Web App Token Spoofing Vulnerability</h3>A token spoofing vulnerability exists in Microsoft Exchange Server. It could allow an attacker to send email messages that seem to come from a trusted source, and the messages contain a link to a website of the attacker. In a web-based attack scenario, an attacker could host a website that is used to try exploiting this vulnerability. Additionally, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. However, in almost every case, an attacker cannot force users to view the attacker controlled content. Instead, an attacker would have to convince users to take action, typically by having them click a link in an email message or Instant Messenger message, to take users to his or her website.<br/><br/><h3 class="sbody-h3">Symptoms 2: Exchange URL Redirection Vulnerability</h3>An attacker can redirect a user to an arbitrary URL from a link that seems to originate from a known or trusted domain.<br/><br/><span class="text-base">Notes</span><ul class="sbody-free_list"><li>To generate the malicious link, an attacker must already be an authenticated Exchange user and be able to send email messages.</li><li>The malicious link could be sent in an email, but the attacker would have to convince users to open the link in order to exploit the vulnerability.</li></ul><br/><h3 class="sbody-h3">Symptoms 3: Multiple Outlook Web App XSS Vulnerabilities</h3>An attacker who successfully exploits these vulnerabilities could read content that he or she is not authorized to read. The attacker could also use the identity of the victim to take actions on the Outlook Web App site on behalf of the victim, such as changing permissions, deleting content, and injecting malicious content in the browser of the victim.<br/></div><h2>Cause</h2><div class="kb-cause-section section"><h3 class="sbody-h3">Cause for Symptoms 1</h3>This issue occurs because Outlook Web App does not properly validate a request token.<br/><h3 class="sbody-h3">Cause for Symptoms 2</h3>This issue occurs because Outlook Web App does not properly validate redirection tokens.<br/><h3 class="sbody-h3">Cause for Symptoms 3</h3>This issue occurs because Exchange Server does not properly validate input.<br/></div><h2>Resolution</h2><div class="kb-resolution-section section"><h3 class="sbody-h3">Method 1: Windows Update</h3>This update is available from <a href="" id="kb-link-1" target="_self">Windows Update</a>.<h3 class="sbody-h3">Method 2: Microsoft Update Catalog</h3>To get the stand-alone package for this update, go to the <a href="" managed-link="" target="_blank">Microsoft Update Catalog</a> website.<h3 class="sbody-h3">Method 3: Install an update</h3>We recommend installing <a href="" id="kb-link-4" target="_self">Cumulative Update 7</a> or a later update that contains this security fix for Exchange Server 2013.</div><h2>Status</h2><div class="kb-status-section section"><span>Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.</span></div></body></html>