In "Exchange Server and the Oracle Padding Attack," I described a security vulnerability known as the padding oracle attack and described how Microsoft's ASP.NET framework is vulnerable to it. I left open the question of which versions of Microsoft Exchange Server might be affected and what Microsoft might plan to do about it. A week later, the answers are somewhat clearer.
Microsoft typically releases security patches on a regular monthly schedule: The second Tuesday of the month has become informally known as Patch Tuesday among many Windows administrators because that's when Microsoft ships patches. However, from time to time the company also releases patches "out of band," or in between regularly scheduled patch releases. These out-of-band patches are typically reserved for serious problems, and the padding oracle attack definitely qualifies.
Accordingly, Microsoft has released a patch, which is described in "Microsoft Security Bulletin MS10-070." The Microsoft article "MS10-070: Vulnerability in ASP.NET could allow information disclosure" describes the patch installation process and identifies the multiple versions of the patch that exist for different OSs and .NET Framework versions.
What about Exchange? Well, the Exchange team blog post "UPDATE: Microsoft Security Advisory 2416728, the ASP.NET Vulnerability, and Exchange Server" says that the team has "not identified any issues related to the application of this patch on an Exchange server." That's good news because it indicates that Microsoft believes it's OK to apply the patch. The post stops short of telling you to go off and install it everywhere, saying instead that you should install it on any Exchange server that has "an affected version of ASP.NET."
If you don't have a plan in place to push critical patches to your Exchange servers (preferably after validating them in your own environment), this would be a really good time to start on one. Happy patching!
