SecurityvulnsSECURITYVULNS:DOC:21334Microsoft Security Bulletin MS09-003 - Critical Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
Microsoft Security Bulletin MS09-003 - Critical
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
Published: February 10, 2009
Version: 1.0
General Information
Executive Summary
This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
This security update is rated Critical for all supported editions of Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, and Microsoft Exchange Server 2007. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by modifying the way Microsoft Exchange Server interprets TNEF messages and MAPI commands. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. Microsoft Knowledge Base Article 959239 documents the currently known issues that customers may experience when installing this security update, and recommended solutions. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.
Top of sectionTop of section
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
Microsoft Server Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004
(KB959897)
Remote Code Execution
Critical
None
Microsoft Exchange Server 2003 Service Pack 2
(KB959897)
Remote Code Execution
Critical
None (See Update FAQ for additional details)
Microsoft Exchange Server 2007 Service Pack 1*
(KB959241)
Remote Code Execution
Critical
MS08-039
*Includes 32-bit and x64-based editions
Top of sectionTop of section
Frequently Asked Questions (FAQ) Related to This Security Update
Where are the file information details?
The file information details can be found in Microsoft Knowledge Base Article 959239.
What is the difference between the servicing models for Microsoft Exchange Server 2007 and Microsoft Exchange Server 2003, and how does the difference impact the updates in this security bulletin?
With the release of Microsoft Exchange Server 2007, Microsoft Exchange has moved to a new servicing model based on customer feedback and consistency with other Microsoft product servicing models. Exchange Server 2007 updates are cumulative at both the offered update level and at the individual file level, while Exchange Server 2003 updates are cumulative at the file level only.
For a more detailed explanation of the Microsoft Exchange servicing model, please see the Microsoft Exchange Server 2007 product documentation. For questions regarding the new Exchange servicing model, please contact Microsoft Product Support Services.
Do I need to install the update rollup package for Exchange Server 2007-based servers in a particular sequence?
Our test infrastructure helps guarantee that our updates work among multiple server roles. Therefore, you do not have to apply an update rollup package in a required order to the Exchange servers that are running different roles. However, you should apply an update rollup package to each Exchange Server 2007-based server in your environment. This is true because the update rollups are not divided for use with different Exchange roles or for use with particular file configurations.
If you are a customer of CAS Proxy Deployment Guidance, and if you have deployed CAS-CAS proxying, apply the update rollup to the Internet-facing Client Access servers before you apply the update rollup to the non-Internet-facing Client Access servers. For other Exchange Server 2007 configurations, the order in which you apply the update rollup to the servers is not important.
For more information about CAS-CAS proxying, see Understanding Proxying and Redirection.
Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.
Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Memory Corruption Vulnerability - CVE-2009-0098 Literal Processing Vulnerability - CVE-2009-0099 Aggregate Severity Rating
Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004
Critical
Remote Code Execution
Important
Denial of Service
Critical
Microsoft Exchange Server 2003 Service Pack 2
Critical
Remote Code Execution
Important
Denial of Service
Critical
Microsoft Exchange Server 2007 Service Pack 1
Critical
Remote Code Execution
Not applicable
Critical
Top of sectionTop of section
Memory Corruption Vulnerability - CVE-2009-0098
A remote code execution vulnerability exists in the way Microsoft Exchange Server decodes the Transport Neutral Encapsulation Format (TNEF) data for a message.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0098.
Mitigating Factors for Memory Corruption Vulnerability - CVE-2009-0098
Microsoft has not identified any mitigating factors for this vulnerability.
Top of sectionTop of section
Workarounds for Memory Corruption Vulnerability - CVE-2009-0098
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•
Block MS-TNEF on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail
Blocking the application/ms-tnef MIME content type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update.
Systems can be configured to block certain types of files from being received as e-mail attachments. Microsoft TNEF-encoded e-mail messages, commonly known as rich text format (RTF) e-mail messages, can contain malicious OLE objects. These e-mail messages contain a file attachment that stores the TNEF information. This file attachment is usually named Winmail.dat. Blocking this file, and blocking the ms-tnef MIME type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update. To help protect an Exchange Server computer from attacks through SMTP, block the Winmail.dat file and all application/ms-tnef MIME type content before it reaches the Exchange Server computer.
Note You cannot mitigate this vulnerability by setting the Exchange rich-text format option in Exchange Server to Never used or by disabling TNEF processing by editing the registry.
Note Exchange supports other messaging protocols, such as X.400, that these workarounds do not protect. We recommend that administrators require authentication on all other client and message transport protocols to help prevent attacks using these protocols.
Note Filtering only for attachments that have the file name Winmail.dat may not be sufficient to help protect your system. A malicious file attachment could be given another file name that could then be processed by the Exchange Server computer. To help protect against malicious e-mail message’s, block all application/ms-tnef MIME type content.
There are many ways to block the Winmail.dat file and other TNEF content. Here are some suggestions:
•
You can use ISA Server 2000 SMTP Message Screener to block all file attachments or to block only the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 315132.
•
You can use ISA Server 2000 SMTP Filter to block all file attachments or to block only the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 320703.
•
You can use ISA Server 2004 SMTP Filter and Message Screener block all file attachments or just the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2004 because ISA Server 2004 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 888709.
•
You can use attachment filtering in Microsoft Exchange Server 2007 to apply filters at the server level to control the attachments that users receive. See Attachment Filtering for more information.
•
You can use third-party e-mail filters to block all application/ms-tnef MIME type content before it is sent to the Exchange Server computer or to a vulnerable application.
Impact of workaround: If TNEF attachments are blocked, e-mail messages that are formatted as RTF will not be received correctly. In some cases, users could receive blank e-mail messages instead of the original RTF-formatted e-mail message. In other cases, users may not receive e-mail messages that are formatted as RTF at all. Blocking the TNEF attachments will not affect e-mail messages that are formatted as HTML or that are formatted as plain text.
Top of sectionTop of section
FAQ for Memory Corruption Vulnerability - CVE-2009-0098
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges when a user opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message. An attacker could then install programs; view, change, or delete data; or create new accounts.
What causes the vulnerability?
Exchange server does not properly decode a message received in TNEF format.
What is TNEF?
Transport Neutral Encapsulation (TNEF) is a format used by the Microsoft Exchange Server when sending messages formatted as Rich Text Format (RTF). When Microsoft Exchange is sending a message to another Microsoft e-mail client, it extracts all the formatting information and encodes it in a special TNEF block. It then sends the message in two parts: the text message with the formatting removed, and the formatting instructions in the TNEF block. On the receiving side, a Microsoft e-mail client processes the TNEF block and re-formats the message.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. An attacker could then install programs; view, change, or delete data; or create new accounts.
How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by sending a specially crafted TNEF message to a Microsoft Exchange Server.
What systems are primarily at risk from the vulnerability?
Microsoft Exchange Servers are at risk.
What does the update do?
The update corrects the way that Microsoft Exchange Server interprets specific TNEF properties.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section
Literal Processing Vulnerability - CVE-2009-0099
A denial of service vulnerability exists in the EMSMDB2 (Electronic Messaging System Microsoft Data Base, 32 bit build) provider because of the way it handles invalid MAPI commands. An attacker could exploit the vulnerability by sending a specially crafted MAPI command to the application using the EMSMDB32 provider. An attacker who successfully exploited this vulnerability could cause the application to stop responding.
The denial of service vulnerability also affects the Microsoft Exchange System Attendant since it uses the EMSMDB32 provider. The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange and performs a variety of functions related to the on-going maintenance of the Exchange system.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0099.
Mitigating Factors for Literal Processing Vulnerability - CVE-2009-0099
Microsoft has not identified any mitigating factors for this vulnerability.
Top of sectionTop of section
Workarounds for Literal Processing Vulnerability - CVE-2009-0099
Microsoft has not identified any workarounds for this vulnerability.
Top of sectionTop of section
FAQ for Literal Processing Vulnerability - CVE-2009-0099
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
What causes the vulnerability?
The vulnerability is caused by Microsoft Exchange Server incorrectly handling a command in the EMSMDB32 provider.
What is MAPI?
MAPI is a set of functions that mail-enabled and mail-aware applications use to create, manipulate, transfer, and store mail messages. It gives application developers the tools to define the purpose and content of mail messages and gives them flexibility in their management of stored mail messages. MAPI also provides a common interface that application developers can use to create mail-enabled and mail-aware applications independent of the underlying messaging system. See the MFC Library Reference for MAPI for more information.
What is EMSMDB32?
Electronic Messaging System Microsoft Data Base, 32 bit build (EMSMDB32) provider refers to the Exchange Transport provider which implements both a transport and a message store provider for MAPI. It provides the ability to submit messages to Exchange Server and to read (and possible write) messages to an Exchange store. See How Outlook, CDO, MAPI, and Providers Work Together for more information on how MAPI and providers work together.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the application or service using the EMSMDB32 provider to stop responding. One of the services that could stop responding is the Microsoft Exchange System Attendant service, since it uses the EMSMDB32 provider. The Microsoft Exchange System Attendant performs a variety of functions related to the on-going maintenance and processing of the Exchange system such as the generation of address lists, offline address books and directory lookup facilities. These tasks will be affected if the Exchange System Attendant service stops working.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by sending a specially crafted MAPI command to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the mail service to stop responding.
What systems are primarily at risk from the vulnerability?
Exchange server systems utilizing the EMSMDB provider are primarily at risk from this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that Microsoft Exchange Server handles malformed MAPI commands.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
•
Bogdan Materna of VoIPshield Systems for reporting the Literal Processing Vulnerability (CVE-2009-0099).
Top of sectionTop of section
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
•
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
•
V1.0 (February 10, 2009): Bulletin published.
Related
