Today the Exchange team released security bulletin MS13-105. Updates are being made available for the following versions of Exchange Server: Exchange Server 2007 SP3 Exchange Server 2010 SP2...
Updated Jul 01, 2019
Version 2.0
Blog Post
MS13-105 first states that "The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server."
Than later in the MS13-105 in "MAC Disabled Vulnerability - CVE-2013-1330" FAQ it states that "An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Local System service account."
Also, FAQ for "MAC Disabled Vulnerability - CVE-2013-1330" states that the attack vector is "In an attack scenario, the attacker could send specially crafted content to the target server.
I am not certain if I understood this correctly. Is it really possible for attacker to send specially crafted content to target Exchange server and get local system service account access, without any action from user? If so, than this definitely is more serious vulnerability than those for WebReady Document Vieweing and Data Loss Prevention.
Thanks for any clarification ...