Exchange HTML Injection Vulnerability - CVE-2015-2359
To make a long story short: under the right circumstances an attacker could elevate privileges and use that to launch an attack on the Exchange Servers or other servers that would otherwise not be exposed to the internet. Those could be servers in the same network as the Exchange servers. It should be noted that an attacker would not be able to do so without a little help from your users. According to the information in the bulletin, a user must be lured to a malicious web page from where the attacker can exploit vulnerability using a forged request (Server-Side Request Forgery (SSRF)).
It goes without saying that a lot of the pain can be avoided by properly educating your users. But recent events have proven that this is easier said than done. Modern phishing attacks can be really hard to detect. Often, highly-ranking individuals in the organization are targeted, hoping to reveal a maximum of (personal) information in the attack. It's no wonder that Microsoft invests heavily in features such as the newly introduced "Advanced Threat Protection" which can help prevent information disclosure (or worse) through phishing attacks by providing time-of-click protection against malicious links through its "Safe links" capability.
Given that Microsoft has ranked the security update as "important", there is enough reason for you to take a look at it and deploy it at the earliest convenience. As always, make sure to test what you will be deploying in production.
Securing your Exchange Server environment is more than just deploying security patches. There's other things to consider too. For instance, take a look at Dave Stork's recent blog post in which he explains how security protocols and ciphers matter to your Exchange Server's baseline security. Well worth the read!
Michael Van Horenbeeck MVP, MCSM
Michael Van Horenbeeck is a Microsoft Certified Solutions Master (MCSM) and Exchange Server MVP from Belgium, with a strong focus on Microsoft Exchange, Office 365, Active Directory, and a bit of Lync. Michael has been active in the industry for about 12 years and developed a love for Exchange back in 2000. He is a frequent blogger and a member of the Belgian Unified Communications User Group Pro-Exchange. Besides writing about technology, Michael is a regular contributor to The UC Architects podcast and speaker at various conferences around the world. You can follow Michael via twitter (@mvanhorenbeeck) or his blog michaelvh.wordpress.com.