====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN293
____________________________________________________________________

DATE                :  25/07/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running
               Microsoft Exchange Server version 2007, 2010,
               Microsoft FAST Search Server for SharePoint version 2010.

======================================================================
http://technet.microsoft.com/en-us/security/advisory/2737111
______________________________________________________________________

Microsoft Security Advisory (2737111)
Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for
SharePoint Parsing Could Allow Remote Code Execution

Published: Tuesday, July 24, 2012

Version: 1.0
General Information
Executive Summary

Microsoft is investigating new public reports of vulnerabilities in
third-party code, Oracle Outside In libraries, that affect Microsoft
Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search
Server 2010 for SharePoint, which ship that component. Customers that
apply the workarounds described in this advisory are not exposed to the
vulnerabilities described in Oracle Critical Patch Update Advisory -
July 2012.

The vulnerabilities exist due to the way that files are parsed by the
third-party, Oracle Outside In libraries. In the most severe case of
Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it
is possible under certain conditions for the vulnerabilities to allow
an attacker to take control of the server process that is parsing a
specially crafted file. An attacker could then install programs; view,
change, or delete data; or take any other action that the server
process has access to do.

Upon completion of this investigation, Microsoft will take the
appropriate action to help protect our customers.

Mitigating Factors:

* The transcoding service in Exchange that uses the Oracle Outside In
libraries is running in LocalService account.
* Microsoft SharePoint Server is only affected by this issue when FAST
Search with Advanced Filter Pack is enabled. By default, Advanced
Filter Pack in FAST is disabled. When Advanced Filter Pack is enabled,
the component that uses the Oracle Outside In libraries is running with
a restricted token.

Recommendation. Please see the Suggested Actions section of this
advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

References		Identification
Oracle Advisory		Oracle Critical Patch Update Advisory - July 2012
CERT Reference		VU#118913
CVE Reference		CVE-2012-1766
			CVE-2012-1767
			CVE-2012-1768
			CVE-2012-1769
			CVE-2012-1770
			CVE-2012-1771
			CVE-2012-1772
			CVE-2012-1773
			CVE-2012-3106
			CVE-2012-3107
			CVE-2012-3108
			CVE-2012-3109
			CVE-2012-3110

Affected Software

Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010 Service Pack 1
Microsoft Exchange Server 2010 Service Pack 2
Microsoft SharePoint Server 2010 Service Pack 1[1]
FAST Search Server 2010 for SharePoint


[1]Microsoft SharePoint Server is only affected by this issue when FAST
Search with Advanced Filter Pack is enabled. By default, Advanced
Filter Pack in FAST is disabled. When Advanced Filter Pack is enabled,
the component that uses the Oracle Outside In libraries is running with
a restricted token.


Suggested Actions

Apply Workarounds

Workarounds refer to a setting or configuration change that does not
correct the underlying issue but would help block known attack vectors
before a security update is available. See the next section,
Workarounds, for more information.

Workarounds

    Disable transcoding service
        1. Log in to the Exchange Management Shell as an Exchange
Organization Administrator.
        2. Issue the following PowerShell command:

	   Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007'
-or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory
	   -WebReadyDocumentViewingOnPublicComputersEnabled:$False
	   -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

    Impact of workaround. OWA users may not be able to preview the
content of email attachments.

    Disable the Advanced Filter Pack

    On the FAST Search Server 2010 for SharePoint administration server
(or single server), perform these steps:
        1. On the Start menu, click All Programs.
        2. Click Microsoft FAST Search Server 2010 for SharePoint.
        3. Right-click Microsoft FAST Search Server 2010 for SharePoint
shell and select Run as administrator.
        4. At the command prompt, browse to installer\scripts under the
           installation folder.
        5. Type the following command:

        .\AdvancedFilterPack.ps1 -disable

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================