Today an important update was released for the following Exchange Server versions:
- Microsoft Exchange Server 2013 Service Pack 1
- Microsoft Exchange Server 2013 Cumulative Update 14
- Microsoft Exchange Server 2016 Cumulative Update 3
It is interesting to note that the Exchange versions are no longer completely up-to-date. There is already CU4 for Exchange 2016 and CU15 for Exchange 2013.
Microsoft writes the following about the vulnerability and classifies the security update with the severity level "High":
https://technet.microsoft.com/library/security/MS17-015
A privilege escalation vulnerability exists in Microsoft Exchange Outlook Web Access (OWA) because web requests are not handled properly. An attacker who successfully exploited this vulnerability could perform script or content injection attacks and attempt to trick the user into disclosing sensitive information.
An attacker can exploit this vulnerability by sending a specially crafted email with a malicious link to a user. Alternatively, an attacker could use a chat client to trick a user into clicking on the malicious link.
The security update fixes the vulnerability by correcting how Microsoft Exchange checks web requests.
NOTE: This vulnerability can be exploited if a user clicks on a malicious link provided by an attacker.
Click here to download the updates directly:
- Security Update For Exchange Server 2013 SP1 (KB4012178)
- Security Update For Exchange Server 2013 CU14 (KB4012178)
- Security Update For Exchange Server 2016 CU3 (KB4012178)
Apparently the gap is not present in the current Exchange version (CU4 for Exchange 2016, CU15 for Exchange 2013), at least the version numbers do not match:
Exchange 2016 CU4: 15.01.0669.032
KB4012178 for Exchange 2016 CU3: 15.01.0544.030