Technical Information

Brief overview of the risk:
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage.

Detailed Information on the risk:

An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage same-origin policy. An attacker could exploit this Server-Side Request Forgery (SSRF) vulnerability by using a specially crafted web application request. An attacker who successfully exploited this vulnerability could then:

Scan and attack systems behind a firewall that are normally inaccessible from the outside world

Enumerate and attack services that are running on these host systems

Exploit host-based authentication services

Exchange web applications are primarily at risk from this vulnerability. The update addresses the vulnerability by modifying how Exchange web applications manage same-origin policy.

Further information on this exploit is available at : MS15-064

Microsoft Exchange Server 2013 Service Pack 1
Microsoft Exchange Server 2013 Cumulative Update 8