Microsoft Exchange Security Flaws Could Put User's Data At Risk
A few days ago, the Zero Day Initiative disclosed four vulnerabilities in Microsoft Exchange. These vulnerabilities, outlined below, were initially disclosed to Microsoft on September 7th and 8th. However, Microsoft reportedly didn't respond immediately, despite the potential of privilege escalation, sensitive information disclosure, or code execution.
- ZDI-23-1578 – A flaw within the ChainedSerializationBinder class with respect to improper user-supplied data validation could lead to code execution as SYSTEM.
- ZDI-23-1579 – A flaw within the DownloadDataFromUri method could allow an attacker to disclose sensitive information.
- ZDI-23-1580 – A flaw within the DownloadDataFromOfficeMarketPlace could allow an attacker to disclose sensitive information.
- ZDI-23-1581 – A flaw within the CreateAttachmentFromUri method could allow an attacker to disclose sensitive information.
While this isn’t an excuse to ignore the vulnerabilities, they are not calamitous issues either. However, it does give the opportunity to review security best practices and ensure that your Exchange servers are up to date with the latest patches and are locked down to the point where these flaws are not going to be a problem.