MS Exchange Elevation Privilege & Information Disclosure Update
Modified: February 12th, 2018 |
This article will give brief information about How to Perform Security Update for Microsoft Exchange Server. The errors caused in Elevation Privilege and Information Disclosure can be solved using this article.
Introduction to Update Exchange Server and Security in 2007, 2010, 2016
Note: It might be possible that Microsoft stops providing Security Update for Microsoft Exchange Server 2007 in coming years(Possible date of End of support is on 11th april 2017). You might consider changing it into new versions. Also, this article is for servers that use third party tool. It describe Elevation of Privilege and Information Disclosure Vulnerabilities
If you are reading this article you might have an idea about Exchange Server. Let’s learn briefly about Microsoft 2016, 2010 and 2007 servers and this issue for a start. The above Microsoft Exchange Versions use external Applications. This update is specifically designed for those issues. Since by using third party tools within Exchange you provide privileges to other software. Hence, this update is released to overcome that issue.
The update does two tasks and mainly for two types of vulnerability:
1. Oracle Outside In Libraries Elevation of Privilege Vulnerabilities
2. Microsoft Exchange Information Disclosure Vulnerability
Note: Your Data might be vulnerable even after following issues are rectified. Microsoft clearly states that they do not take responsibility for data loss or theft even after these updates.
Reason for providing Security Update against Cross-Site Request Forgery(CSRF) in Exchange Server
The Exchange 2016, 2010 and 2007 update against Cross-Site Request Forgery (CSRF) on Outlook Web Access (OWA) is based following reasons:
1. Email Filters that allow Information disclosure
2. Vulnerability to user identity, fingerprint(online) risks
3. Danger to security of Outlook web address Book
What needs to be Done against Information Disclosure Vulnerability Issue in Exchange Server?
It must be remembered that Microsoft keeps on updating its security updates for various versions Outlook Web Access (OWA). The user needs to keep track of these updates so that they can identify the security risks and its solutions. To do so you may also check updates on this blog.
This update was required for following the version of Microsoft based on Information Disclosure and Elevation of Privilege vulnerability. Th following versions were affected during this update.
For Elevation of Privilege Vulnerability in Exchange Server
For Information Disclosure vulnerability in Exchange Server
For Oracle Outside In Libraries Vulnerability Update of Exchange Server
Their following Elevation of Privilege Vulnerabilities is resolved for Oracle Critical Patch Advisory.
The above article is based on Security Update for Microsoft Exchange Server. Remember, the changes in vulnerabilities for Oracle Outside in Libraries and Outlook Web Access (OWA) that are associated with MS Exchange server will also change the working. There are various issues faced by a user when they implemented Elevation Privilege and Information Disclosure changes in Exchange Server 2007, 2010 and 2016. But this will increase the security of MS Servers.