Oracle's file converter holes endanger many server services

Some of the holes that Oracle closed last week affect more than just Oracle software, because Oracle's Outside In library is used in many other products to convert files of different formats. As well as Microsoft's Exchange Server and SharePoint, products from Cisco, HP, IBM, Novell, Symantec, McAfee and others are affected.

Strictly speaking it is not a single hole, but fourteen holes in the parsing of certain types of tile. The affected file formats are .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG and .CDR. A program that opens a specially crafted file with the Oracle libraries is fundamentally compromised. A range of server services are affected, including anti-virus scanners like McAfee GroupShield, but also specific desktop applications that need to handle different file types, such as the Guidance EnCase Forensic toolkit.

One of the US-CERT advisories lists a number of companies and products that use the Oracle libraries and are also vulnerable. Among them are

• Cisco Security Agent
• Guidance EnCase Forensic
• Kroll Ontrack
• IBM OmniFind Enterprise Edition
• Novell Groupwise
• McAfee GroupShield and Host Data Loss Prevention
• Symantec Enterprise Vault

A longer version of the US-CERT list apparently does not include all affected products; for example Avira Antivir for Exchange is reported to also use Outside In. It is still unclear whether all products that use Outside In are vulnerable – there are, for example, several print servers on the list. Microsoft has a dedicated advisory published on the vulnerability. It is also unknown whether, or when, the various manufacturers will have patches for their products ready for customers.

Update 26-07-12: Avira has told The H's associates at heise Security that Antivir for Exchange is using Microsoft Jet Engine and Microsoft Access as its database and is therefore not affected by the vulnerability.

(djwm)