Today we released Security Advisory 2737111 to describe the way in which vulnerabilities in Oracle’s Outside In technology impact the document preview functionality of Microsoft Exchange Server 2007 and 2010 and FAST Search Server 2010 for SharePoint. In this blog, we would like to discuss the following:

  • What is the Oracle Outside In technology?
  • Why are Microsoft Exchange and FAST Search Server affected by a vulnerability in Oracle’s product?
  • What are the mitigating factors that reduce the risk to customers?
  • What workaround options exist in absence of a security update?

What is the Oracle Outside In technology?

The Oracle Corporation provides a solution called Oracle Outside In to software developers (such as Microsoft) to access, transform, and control the contents of a number of file formats.  Microsoft Security Advisory 2737111 describes Microsoft's exposure to the vulnerabilities addressed by Oracle via their recent Critical Patch Update Advisory - July 2012 and recommends steps affected users may take to protect servers from these vulnerabilities until a comprehensive Microsoft security update is available.

Why are Microsoft Exchange Server and FAST Search Server affected by a vulnerability in Oracle’s software?

In Microsoft Exchange Server 2007 and Exchange Server 2010, Outlook Web App (OWA) users are provided with a feature called WebReady Document Viewing that allows users to view certain attachments as a web page instead of relying on local applications to open/view it. Oracle Outside In is used by the conversion process in the server backend to support the WebReady feature. Microsoft licenses this library from Oracle.

In FAST Search Server 2010 for SharePoint, “Oracle Outside In” is used to index file content in a non-default scenario. Only SharePoint 2010 SP1 installations using FAST Search Server 2010 for Sharepoint can potentially be affected by this issue, as we will describe in the mitigating factors section below.

What are the mitigating factors that reduce the risk to customers?

In the Exchange Server 2007/2010 scenario, the conversion process that uses Oracle Outside In, TranscodingService.exe, runs as LocalService. The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null or anonymous session without even machine credentials.

In the FAST Search Server 2010 for SharePoint scenario, the functionality that uses Oracle Outside In, Advanced Filter Pack, is NOT enabled by default. SharePoint Server is only impacted if FAST Search Server 2010 for SharePoint is used.

Moreover, the process in FAST Search Server 2010 for SharePoint that uses “Oracle Outside In”, is running with a restricted token similar to the Office 2010 Protected View sandbox, which further limits what the attacker may access even if the process is compromised.

Last, the attacker needs to have the access to upload malicious documents into one of the data stores, such as the SharePoint server site, that will be indexed by FAST.

What workaround options exist in absence of a security update?

In the Exchange Server 2007/2010 scenario, we recommend disabling WebReady Document Viewing on the VDir of all CAS Servers. You can do so with a single PowerShell command, as described below:

  • Launch Exchange Management Shell as a user with Exchange Administrator privileges.
  • Issue the following Powershell Command:

    Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

    Note: On Exchange Server 2010, Server Management privileges are also required.

This will immediately disable the ability to render via WebReady Document Viewing on all current and future OWA sessions. Users could still open and view attachments using the local application. Only the in-browser document preview functionality would be impacted.

In the FAST Search Server 2010 scenario, we recommend disabling the Advanced Filter Pack if FAST Search is installed and Advanced Filter Pack is enabled. To do it, please follow the following steps described in http://technet.microsoft.com/en-us/library/ff383314.

On the FAST Search Server 2010 for SharePoint administration server (or single server), follow these steps:

  • On the Start menu, click All Programs.
  • Click Microsoft FAST Search Server 2010 for SharePoint.
  • Right click Microsoft FAST Search Server 2010 for SharePoint shell and select Run as administrator.
  • At the command prompt, browse to installer\scripts under the installation folder.
  • Type the following command: .\AdvancedFilterPack.ps1 -disable

Special thanks to Greg Lenti, Brent Alinger, Travis Rhodes, Anund Lie and David LeBlanc for the help with this issue.

- Suha Can, Elia Florio, Chengyun Chu from MSRC Engineering