On Tuesday, February 10, 2009, Microsoft released its monthly patches. Included in this set was a patch for a pair of relatively easily exploitable Exchange vulnerabilities affecting all versions of Exchange since Exchange 2000 Server. Scott Lowe provides details about these vulnerabilities and direct links to update downloads.
Here's a nasty one, folks. In short, all currently supported releases of Exchange Server are vulnerable to a relatively easily exploited attack that can result in remote code execution taking place with the Exchange Server service account rights. A second vulnerability can result in a successful denial of service attack on your Exchange servers. Microsoft has released updates for these vulnerabilities.
Right from Microsoft regarding security bulletin MS09-003 (emphasis added):
"This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding."
These vulnerabilities affect Exchange 2000 Server, Exchange Server 2003, and Exchange Server 2007 SP1. The following updates include fixes for these vulnerabilities:
- Exchange Server 2007 SP1 Update Rollup 6. I did not see mention of a fix for Exchange Server 2007 RTM — only SP1; Update Rollup 7, released 7/8/2008, is still the latest update for Exchange Server 2007 RTM, but I would be very surprised if RTM is not also affected and, if so, would expect that Microsost will release an update for it. If you are running multiple Exchange Server 2007 servers with different roles on each, you do not need to worry about the order in which you apply this update as long as you apply the update to all servers.
- Security Update for Exchange Server 2003 Service Pack 2
- Security Update for Exchange 2000 Server
These are the only versions of Exchange for which Microsoft continues to provide security updates.
If any of you happen to run across information regarding this exploit as it pertains to Exchange Server 2007 RTM, please let me know, and I'll update this post. Is anyone still running the RTM version at this point?