MS12-080  Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution

2012-12-11 This security update resolves publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe vulnerabilities are in Microsoft Exchange Server WebReady Document Viewing and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.
Vulnerabilities addressed in this bulletin:
Oracle Outside In Contains Multiple Exploitable Vulnerabilities
Remote code execution vulnerabilities exist in Microsoft Exchange Server through the WebReady Document Viewing feature. These vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited the vulnerabilities could run code on the affected server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. To view these vulnerabilities as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-3214 and CVE-2012-3217.
CVE-2012-3214
RSS Feed May Cause Exchange DoS Vulnerability
A denial of service vulnerability exists in Microsoft Exchange Server when Exchange improperly handles RSS feeds. The vulnerability could cause the Information Store service on the affected system to become unresponsive until the process is forcibly terminated. This unresponsive condition could cause Exchange databases to dismount, and potentially lead to corruption of databases, affecting user mailboxes.
CVE-2012-4791

Bulletin details at Microsoft.com

Related CVE Entries

CVE-2012-4791

Microsoft Exchange Server 2007 SP3 and 2010 SP1 and SP2 allows remote authenticated users to cause a denial of service (Information Store service hang) by subscribing to a crafted RSS feed, aka "RSS Feed May Cause Exchange DoS Vulnerability."
Max CVSS
3.5
EPSS Score
6.00%
Published
2012-12-12
Updated
2019-06-01

CVE-2012-3214

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7.0 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.
Max CVSS
2.1
EPSS Score
0.16%
Published
2012-10-17
Updated
2018-10-12

CVE-2012-3217

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7.0 allows context-dependent attackers to affect availability, related to Outside In HTML Export SDK.
Max CVSS
2.1
EPSS Score
0.16%
Published
2012-10-17
Updated
2018-10-12
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close