Top 5 Stories


Microsoft provides workarounds for Oracle vulnerability

26 July 2012

Microsoft is providing workarounds for a remote code execution vulnerability in third-party code – Oracle Outside In libraries – that affects certain versions of Microsoft Exchange and Sharepoint servers.

Microsoft licenses the Oracle Outside In technology to develop different types of file formats; this vulnerability was identified and fixed in Oracle’s quarterly critical patch update issued earlier this month.

“The vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do”, according to the Microsoft security advisory.

Dave Forstrom, director of Microsoft Trustworthy Computing, said the company was not aware of active exploits of the vulnerability, but recommended that customers use the workarounds to protect their servers. More detail about the workarounds was provided in a blog post by the Microsoft Security Research and Defense engineering team.

Johannes Ullrich with the SANS Technology Institute commented in a blog: “Oracle's 'Outside In' libraries are able to decode over 500 different file formats. The libraries are used to be able to index content inside files like PDFs and other common file types. It is very likely that not only Microsoft's software is including this library.”

Ullrich noted that US Computer Emergency Readiness Team has identified a number of other vendors that use Oracle’s Outside In libraries, including Cisco, HP, IBM, and McAfee.

This article is featured in:
Application Security  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×