Microsoft Exchange Server CVE-2016-3378 Open Redirection Vulnerability

Description

Microsoft .NET Framework is prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Technologies Affected

• Microsoft Exchange Server 2013 Cumulative Update 12
• Microsoft Exchange Server 2013 Cumulative Update 13
• Microsoft Exchange Server 2013 SP1
• Microsoft Exchange Server 2016 Cumulative Update 1
• Microsoft Exchange Server 2016 Cumulative Update 2

Recommendations

Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.

Set web browser security to disable the execution of script code or active content.
Since a successful exploit of this issue allows malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.

Updates are available. Please see the references or vendor advisory for more information.