MS16-079: Security Update for Microsoft Exchange Server (3160339)

critical Nessus Plugin ID 91612

Synopsis

The remote Microsoft Exchange Server is affected by multiple vulnerabilities.

Description

The remote Microsoft Exchange Server is missing a security update. It is, therefore, affected by multiple vulnerabilities :

- Multiple stack buffer overflow conditions exist in the Oracle Outside In subcomponent due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-6013, CVE-2015-6014, CVE-2015-6015)

- An email filter bypass flaw exists in the parsing of HTML messages. An unauthenticated, remote attacker can exploit this, via specially crafted URLs in OWA messages, to identify, fingerprint, and track a user online if the user views email using Outlook Web Access.
(CVE-2016-0028)

Solution

Microsoft has released a set of patches for Exchange Server 2007, 2010, 2013, and 2016.

See Also

http://www.nessus.org/u?46507b18

Plugin Details

Severity: Critical

ID: 91612

File Name: smb_nt_ms16-079.nasl

Version: 1.12

Type: local

Agent: windows

Published: 6/15/2016

Updated: 4/20/2021

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2015-6013

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 6/14/2016

Vulnerability Publication Date: 1/19/2016

Reference Information

CVE: CVE-2015-6013, CVE-2015-6014, CVE-2015-6015, CVE-2016-0028

BID: 81227, 81233, 81243, 91115

MSFT: MS16-079

MSKB: 3151086, 3151097, 3150501

CERT: 916896