Technical Information

Brief overview of the risk:
This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site.

Detailed Information on the risk:

A token spoofing vulnerability exists in Exchange Server when Microsoft Outlook Web App (OWA) fails to properly validate a request token. An attacker who successfully exploited this vulnerability could then use the vulnerability to send email that appears to come from a user other than the attacker (e.g., from a trusted source). Customers who access their Exchange Server email via Outlook Web App are primarily at risk from this vulnerability.

Further information on this exploit is available at : MS14-075

Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010 Service Pack 3 
Microsoft Exchange Server 2013 Service Pack 1
Microsoft Exchange Server 2013 Cumulative Update 6