Severity: High
8 May, 2007
Summary:
Today, Microsoft released a security bulletin describing four security vulnerabilities in Microsoft Exchange. By sending a specially crafted email to anyone in your network, an anonymous and remote attacker can exploit the worst of these flaws to gain complete control of your email server. If you use Exchange, you should download, test, and install Microsoft’s update right away.
Exposure:
Microsoft Exchange is one of the most popular email servers used today.
In a security bulletin released today, Microsoft describes four security vulnerabilities affecting all current versions of Exchange. The worst of these flaws involves Exchange’s inability to properly decode specially crafted MIME content. Specifically, Exchange doesn’t properly handle base64 encoded MIME content. By sending a maliciously crafted email to any valid email address on your Exchange server, an attacker can exploit this vulnerability to gain total control of your email server. Not only does this earn the attacker full access to your sensitive email, it also provides a valuable foothold for the attacker to penetrate the rest of your network. You should consider this flaw of the utmost risk and patch it immediately.
Microsoft’s bulletin also describes three remaining flaws, including two Denial of Service (DoS) vulnerabilities, and an information disclosure flaw. However, the MIME decoding vulnerability alone should convince most administrators to patch right away.
Solution Path:
Microsoft has released patches to fix these critical Exchange issues. If you manage an Exchange email server, we urge you to download, test, and deploy the appropriate patch immediately.
For All WatchGuard Users:
Many of WatchGuard’s Firebox models have an SMTP proxy that you can configure to block all base64 encoded MIME content. This would prevent attackers from exploiting the MIME decoding flaw against your Exchange server. However, most email attachments are base64 encoded. Blocking base64 encoded content would likely prevent your users from receiving any email attachments. Therefore, we recommend you apply Microsoft’s Exchange patch instead.
Status:
Microsoft has released patches to fix this flaw.
