Microsoft warns of Oracle holes in Exchange and SharePoint
Microsoft is warning that its Exchange and SharePoint server products may be affected by security holes that Oracle patched in its most recent Critical Patch Updates last week. Apparently, the Microsoft components use the Oracle Outside In libraries, which, Oracle says, contain security holes.
According to the now released Microsoft Security Advisory 2737111, the issue affects Exchange Server 2007 and 2010 as well as FAST Search Server 2010 for SharePoint. SharePoint is only vulnerable if the Advanced Filter Pack has been activated, says Microsoft. As a workaround, the company recommends that users disable this feature in Sharepoint for the time being. Exchange administrators have been advised to disable the attachment transcoding service. However, this may cause the OWA web frontend's file attachment preview to malfunction. As usual, Microsoft doesn't say whether or when it will release suitable patches to eliminate the root of the problem: "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers", the company states in the usual, broad way.
Microsoft does not comment on the nature of its cooperation with Oracle in this matter; the report only mentions "public reports of vulnerabilities in third-party code." Together with the fact that Microsoft's advisory has arrived a whole week late, this gives rise to the assumption that Oracle's patches have caught the company by surprise. The enmity between the two companies dates back decades and has become almost legendary. Apparently, it is rooted so deeply that it even prevents the companies from cooperating to protect their customers when there are security issues.