8/14/2012: We have released updates to address the vulnerability mentioned in this post. See Microsoft Security Bulletin MS12-058 - Critical.

Yesterday Microsoft Security Research Center issued Microsoft Security Advisory (2737111) - Microsoft is investigating new public reports of vulnerabilities in third-party code, Oracle Outside In libraries, that affect Web-ready document viewing in Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. We recommend that customers apply the workarounds described in this advisory so you are not exposed to the vulnerabilities described in Oracle Critical Patch Update Advisory - July 2012.

The reported vulnerability that’s being investigated impacts web-ready document viewing in Exchange 2010/Exchange 2007. Web-ready document viewing is a feature that allows Outlook Web App users to view supported attachments in an email without having to download them to a computer and using locally-installed applications to view them.

For more information, see Microsoft Security Advisory (2737111) and More information on Security Advisory 2737111 on the Microsoft Security Research & Defense blog.

Bharat Suneja