Despite Exchange 2010 not being affected by the #privexchange PoC in my testing, Microsoft has listed Exchange 2010 in their new advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007 …
Perhaps they know of a variant that affects 2010.
Still no update at this time, so be sure to apply workarounds!
-
Show this thread
-
But then again, this advisory states "To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack", which we know isn't true. So maybe I'll let the dust settle a bit...
1 reply 0 retweets 2 likesShow this thread -
It also states "An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server." This is worded in a way that implies that perhaps the impact is that User A can read the email of User B. It can get you DOMAIN ADMIN!
2 replies 1 retweet 2 likesShow this thread -
And you might ask yourself: How did
@msftsecresponse advisory https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007 … get published without mentioning CVE-2019-0686? Story time: At some point, MSRC stopped using bulletin identifiers like MS08-067, and started using CVE IDs instead. This is a good thing, right?1 reply 1 retweet 1 likeShow this thread
Not so fast... When this change happened, MSRC adopted the incorrect mindset that a CVE ID is used to refer to a software update, rather than a vulnerability. Because no software update has been released for Exchange, Microsoft has not yet publicly referred to it by its CVE ID.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.