In my Exchange Server UPDATE column last week, I described a security vulnerability known as the padding oracle attack and described how Microsoft’s ASP.NET framework is vulnerable to it. I left open the question of which versions of Exchange might be affected, and what Microsoft might plan to do about it. A week later, the answers are somewhat clearer.
Normally, Microsoft releases security patches on a regular monthly schedule: the second Tuesday of the month has become informally known as "Patch Tuesday" among many Windows administrators because that’s when Microsoft ships patches. However, from time to time they also release patches "out of band," or in between regularly scheduled patch releases. These out of band patches are typically reserved for serious problems, and the padding oracle attack definitely qualifies. Accordingly, Microsoft just released a patch for this vulnerability, which is described in Microsoft Security Bulletin MS10-070. Knowledge Base article 2418042 describes the patch installation process and identifies the multiple versions of the patch that exist for different operating systems and .NET Framework versions. (ed. note– seeing 7-digit KB article numbers makes me feel kind of old!)
What about Exchange? Well, this Exchange team blog post says that the team "…has not identified any issues related to the application of this patch on an Exchange server." That’s good news, as it indicates that Microsoft believes it’s OK to apply the patch. The post stops short of telling you to go off and install it everywhere, saying instead that you should install it on any Exchange server that has "an affected version of ASP.NET" At first I was confused that the post is tagged "Exchange 2007" and "Exchange 2010" but on rereading it closely, it’s clearly meant to apply to Exchange 2003 too.
If you don’t have a plan in place to push critical patches to your Exchange servers (preferably after validating them in your own environment), this would be a really good time to start on one. Happy patching!
Edited to correct the patch release date– it’s already out. Thanks to Bharat Suneja for catching my error.