Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Checking on validity of MS04-013 for Unity server

Hello -

This security hotfix is for Outlook Express, which exists on the Unity server but is not used. I just installed other security hotfixes on my test Unity server running 4.0(3). The Outlook Express executable is version 6.00.2800.1106. My production server is the same. Neither version of the hotfix will run though - the Outlook Express 5.5 version said I needed to be at 5.5SP2. The Outlook Express 6 version said I needed to be at Outlook XP. I would prefer not to upgrade Outlook Express just to apply the hotfix and want to know if I can skip this hotfix. MS04-011, 012, and 014 applied just fine.

Thanks much!



Re: Checking on validity of MS04-013 for Unity server

Hi Ginger,

This is what Microsoft says:

How could an attacker exploit this vulnerability?

The remote code execution vulnerability exists in the processing of specially crafted MHTML URLs that could permit an attacker to take complete control of an affected system.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

An attacker could also create an HTML e-mail message that was designed to exploit the vulnerability. Then an attacker could persuade the user to view the HTML e-mail message. After the user had visited the malicious Web site or viewed the malicious HTML e-mail message, an attacker who successfully exploited this vulnerability could run HTML code of their choice in the Local Machine zone on the user’s system. This could allow an attacker to access files on a user's system and to run arbitrary code on a user's system. This code would run in the security context of the user who was currently logged on.

It sounds to me like you would need to browse the web from Unity or read email on it. Neither of these actions are things anybody should be doing from the Unity server or any server for that matter. And I know you never would because you are the model customer. :-) So it looks to me like you probably don't need to worry about it too much. These appear to be client vulnerability and not really server vulnerabilities.



Re: Checking on validity of MS04-013 for Unity server

Hey Keith -

Thanks for the additional explanation from MS. I agree with your vulnerability assessment ... there's that fine line between wanting to be diligent with security yet not apply hotfixes that really aren't necessary or applicable for the server. As always, I appreciate your experience and insight! And, I'm happy to know I'm on your model customer list :-)



CreatePlease to create content