J003-Content-MS16-010_SQOur first Patch Tuesday of 2016 brought us patches for a number of systems, and ranges from Important to Critical, but for Exchange SysAdmins MS16-010 is of particular note, as it applies to both Exchange 2013 and 2016. The patch, rated Important and that may require a reboot, addresses vulnerabilities in OWA that could be exploited by an attacker to perform spoofing attacks against users. It is advisable to test MS16-010 in your environment and then deploy it in a timely manner.

The bug has to do with how OWA validates web requests, and in this case that it does not sanitize data, and the vulnerability can be exploited to perform content or scripting injection, or to redirect users to other servers hosting malicious content. Exploits would require a user to click on a malicious link, but we all know that users will click on practically anything if enticed appropriately.

Attackers must be authenticated to Exchange in order to generate a malicious link, but they do not require special or administrative privileges to do so. All they need to do is phish one set of end user credentials, and they can then leverage the vulnerability to attack other users. At this time there are no workarounds or mitigations. Also at this time, there have been no reports of this vulnerability being exploited in the wild. Still, the patch needs to be deployed.

MITRE has reserved four CVEs to the vulnerability, probably based on the version of Exchange. Here’s a table with the CVEs and links to MITRE’s website for those details once published.

Vulnerability title CVE number
Exchange Spoofing Vulnerability CVE-2016-0029
Exchange Spoofing Vulnerability CVE-2016-0030
Exchange Spoofing Vulnerability CVE-2016-0031
Exchange Spoofing Vulnerability CVE-2016-0032

Since this only impacts OWA, in 2013 you only need to install this to CAS servers, or multirole servers that include the CAS role. For 2016, you will just install it on each server.

Microsoft acknowledged the contributions of three individuals related to this bug; Abdulrahman Alqabandi, Alexandru Coltuneac, and Israelg from BugSec.

Exchange SysAdmins can use Windows Update to patch their servers, or download the patch from https://technet.microsoft.com/library/security/MS16-010. Information on the download, including the hashes, is published at https://support.microsoft.com/en-us/kb/3124557.

Get testing, get patching, and all will be well.