But then again, this advisory states "To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack", which we know isn't true. So maybe I'll let the dust settle a bit...
-
-
Show this thread
-
It also states "An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server." This is worded in a way that implies that perhaps the impact is that User A can read the email of User B. It can get you DOMAIN ADMIN!
Show this thread -
And you might ask yourself: How did
@msftsecresponse advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007 … get published without mentioning CVE-2019-0686? Story time: At some point, MSRC stopped using bulletin identifiers like MS08-067, and started using CVE IDs instead. This is a good thing, right?Show this thread -
Not so fast... When this change happened, MSRC adopted the incorrect mindset that a CVE ID is used to refer to a software update, rather than a vulnerability. Because no software update has been released for Exchange, Microsoft has not yet publicly referred to it by its CVE ID.
Show this thread
End of conversation
New conversation -
-
-
any update on exchange 2010. Is it still not affected?
-
According to ADV190007 and the 2 follow-up updates for CVE-2019-0724 and CVE-2019-0686, Microsoft Exchange 2010 is affected. In my (and others') testing, 2010 is not affected. But the 3 above publications from Microsoft are so full of errors that I can't justify updating the VU#.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.