Microsoft licenses the Oracle Outside In technology to develop different types of file formats; this vulnerability was identified and fixed in Oracle’s quarterly critical patch update issued earlier this month.
“The vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do”, according to the Microsoft security advisory.
Dave Forstrom, director of Microsoft Trustworthy Computing, said the company was not aware of active exploits of the vulnerability, but recommended that customers use the workarounds to protect their servers. More detail about the workarounds was provided in a blog post by the Microsoft Security Research and Defense engineering team.
Johannes Ullrich with the SANS Technology Institute commented in a blog: “Oracle's 'Outside In' libraries are able to decode over 500 different file formats. The libraries are used to be able to index content inside files like PDFs and other common file types. It is very likely that not only Microsoft's software is including this library.”
Ullrich noted that US Computer Emergency Readiness Team has identified a number of other vendors that use Oracle’s Outside In libraries, including Cisco, HP, IBM, and McAfee.