Home
Microsoft

8/14/2012: We have released updates to address the vulnerability mentioned in this post. See Microsoft Security Bulletin MS12-058 - Critical.

Yesterday Microsoft Security Research Center issued Microsoft Security Advisory (2737111) - Microsoft is investigating new public reports of vulnerabilities in third-party code, Oracle Outside In libraries, that affect Web-ready document viewing in Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. We recommend that customers apply the workarounds described in this advisory so you are not exposed to the vulnerabilities described in Oracle Critical Patch Update Advisory - July 2012.

The reported vulnerability that’s being investigated impacts web-ready document viewing in Exchange 2010/Exchange 2007. Web-ready document viewing is a feature that allows Outlook Web App users to view supported attachments in an email without having to download them to a computer and using locally-installed applications to view them.

For more information, see Microsoft Security Advisory (2737111) and More information on Security Advisory 2737111 on the Microsoft Security Research & Defense blog.

Bharat Suneja

24 Comments
Not applicable

Yikes.  Advisory link isn't working yet, but I assume since we always disable webreadydocviewing on our CAS servers we're in the clear.

Not applicable

@pesos: Thanks for catching that, links updated. The workaround, as documented in the advisory, is in fact to disable web-ready document viewing.

Not applicable

Is there a timeframe as to when a hotfix will be released?  Web Ready Doc viewing is a very useful feature we'd like to turn back on as soon as possible.  Especially for the Linux/Mac end-user population.

Not applicable

@Breese: We don't have an ETA at the moment. We'll update as more information is available.

Not applicable

Microsoft Exchange stinks - I have begged out IT guy to replace asap.  We are overwhelmed by junk!!!  I also have lost a ton of my e-mail history.

Not applicable

@vixster

If so your e-mail people haven't got Exchange configured properly or are the using the wrong 3rd party add-ons for messaging hygiene.

Not applicable

Obviously you should've replaced your IT guy instead! Running Exchange for more than a decade with no data loss.

Not applicable

In our environment the command needed to be modified to disable this on Exchange 2007 servers versus Exchange 2010 servers.   Exchange 2010 EMS can't modify Exchange 2007 resources.

Also, our Exchange 2007 servers made the change instantly and the [Open as Web Page] is no longer displaying.  Our Exchange 2010 servers have not made the change so my suspision is a IISRESET is required.  Anyone know how this works, if I don't have to kick everyone off of web services I would prefer it.

Not applicable

@Exchange Admin

We disabled WebReady viewing on our Exchange 2010 servers today and did not need to perform an IISreset.  I would run Get-OWAVirtualDirectory | Select Name,WebReadyDocumentViewingonPublicComputersEnabled,WebReadyDocumentViewingonPrivateComputersEnabled   to make sure it is truly disabled on all servers.

Hope this helps.

Not applicable

The output shows it set to FALSE on all servers.

Not applicable

The related Technet article does not say any additional work is needed (technet.microsoft.com/.../aa995967.aspx).  I might try a different browser or workstation to see if it still acts as if it is enabled.  You can also use the Technet article to check this with the EMC (although this will probably show exactly what the management shell displays).

Not applicable

Our Exchange 2010 servers now are reflecting the change with out a IISRESET.

I'll 2nd the question about a time frame for a fix?

Not applicable

Workaround works good for us without iisreset.

trying to open documents in the browser now brings a message:

the WebReady Document Viewing-service was disabled and so on...

so its ok for us.

Not applicable

In the Advisory you specify some powershell code to disable the web-ready document viewing.

In Exchange 2010 in the Exchange Management Console I found the option to disable web-ready documentviewing on the following place:

Organsitaionconfiguration | Clientaccessconfiguration | Outlook Web App Mailboxpolicies | default on the tab Fileaccess (pub/priv)

Is this the same?

Not applicable

@Karsten Yes it's the same, if you have mutiple servers don't forget to repeat the steps for each server.

Not applicable

If OWA Mailbox policys are assigned to users one more step is also needed, described in mailmaster.se/blog

Not applicable

@Magnus Bjork: Thanks for your reply. The place I mentioned was not exactly the right place - webready worked althought I made the setting.

I Addidiontaly made the setting for each server on the following place and it worked:

Serverkonfiguration | Clientaccess | Outlook Web App | owa (Default Web Site)

Not applicable

@Karsten: You can use the Shell to quickly disable on OWA virtual directory on multiple servers.

@Magnus: Yes, this needs to be disabled in any OWA policies as well (including the default OWA policy). An OWA policy is not applied to users by default.

Not applicable

will OWA-publishing with TMG-2010  prevent such attacks? This could be prevented by the NIS-Protection, couldn´t be? Any comment about this constellation is appreciated...

Not applicable

@Bharat: Thanks - but as the powesehll way is the way the Advisory sugests I have seen this.

But I wasn't shure if I could make the change "un"-done in case MS has solved the problem with webready document viewing with powershell. Thats a lot easier with the gui.

Not applicable

@Karsten: Certainly easier with the GUI. Use the tool you're most comfortable with.

To undo from the Shell, simply set the same parameters in OWAVdir (and any OWA policies) to $true.

Not applicable

I disabled web ready document viewing in the EMC Gui. But when I checked EMS, only the WebReadyDocumentViewingonPublicComputersEnabled was set to False. It was still true for Private Computers.

Better to use the shell command provided in the advisory to disable for both Public and Private computers. Waiting for a fix from MS, its functionality that users rather like.

Not applicable

Does anyone know if this vulnerability affects Exchange 2007 SP2?

Not applicable

@Me: Please see Microsoft Product Lifecycle for Exchange Server:

http://aka.ms/ex2007support

Exchange 2007 SP2 is past its end date for support for more than a year now. You must upgrade to SP3.