Microsoft gave its users steps earlier this week to sidestep a vulnerability in one of Oracle’s Outside In libraries. The company published some mitigations for the bug, but said it isn’t aware of any active attacks against it yet.
The Oracle technology is licensed by software developers like Microsoft to transform and control different types of file formats. Outside In is present in Microsoft’s Exchange Server 2007, Exchange Server 2010 and FAST Search Server for Sharepoint products. The vulnerability was initially highlighted in Oracle’s Critical Patch Update Advisory for this month.
In a post on its Technet blog, Dave Forstrom of the Trustworthy Computing claimed Microsoft isn’t aware of any active exploits against the vulnerability but insisted following the workaround would be the best practice for users until an adequate security update was developed.
A separate blog post by Microsoft’s Security and Defense team explains the best way to minimize risk is disabling WebReady Document Viewing on the VDir of all CAS servers. This will circumvent a problem that lies in the way WebReady Document Viewing renders certain attachments as a web page “instead of relying on local applications to open/view it,” according to the post.
For more on this, including a more in depth explanation of the Oracle flaw, head to Technet.