Microsoft Exchange Memory Corruption Vulnerability

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Download:

Product Link
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 21

4091243

Microsoft Exchange Server 2013 Cumulative Update 19

4092041

Microsoft Exchange Server 2013 Cumulative Update 20

4092041

Microsoft Exchange Server 2013 Service Pack 1

4092041

Microsoft Exchange Server 2016 Cumulative Update 8

4092041

Microsoft Exchange Server 2016 Cumulative Update 9

4092041

Exchange 2010-2016 Security Fixes

Microsoft released security updates to fix a remote code execution vulnerability in
Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Source

Exchange 2016/2013/2010 Updates March 2017

Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

  • If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
  • If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5

15.1.845.34

KB4012106

Download

UMLP

Exchange 2013 CU16

15.0.1293.2

KB4012112

Download

UMLP

Exchange 2010 SP3 Rollup 17

14.3.352.0

KB4011326

Download

 

Exchange 2007 SP3 Rollup 23

8.3.517.0

KB4011325

Download

 

Exchange 2016 CU5 fixes:

  • KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
  • KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
  • KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
  • KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
  • KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
  • KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Notes:

Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.

When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.

Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.

When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Source

Exchange Team has released Quarterly Exchange Updates

– A new Outlook on the web compose experience
– Support for .Net 4.6.2
– Change to Pre-Requisites installed by Setup
– Update on Windows Server 2016 support KB3206632
– Latest time zone updates
– Important Public Folder fix included in these releases

Exchange Server 2016 Cumulative Update 4 (KB3177106), Download, UM Lang Packs
Exchange Server 2013 Cumulative Update 15 (KB3197044), Download, UM Lang Packs
Exchange Server 2010 Service Pack 3 Update Rollup 16 (KB3184730), Download
Exchange Server 2007 Service Pack 3 Update Rollup 22 (KB3184712), Download

IIS Crypto the best tool to configure SSL/TLS cipher suites

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Features

– Single click to secure your website using best practices
– Create custom templates that can be saved and run on multiple servers
– Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
– Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
– Enable TLS 1.1 and 1.2
– Enable forward secrecy
– Reorder cipher suites
– Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
– Site scanner to test your configuration
– Command line version

Screenshot1

MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

Exchange Updates installing slow on Windows Server 2012 R2

For customers who are running Exchange on Windows Server 2012 R2, we want to make certain you are aware of a condition which can substantially increase the amount of time it takes to install Exchange Updates on this OS. Working with the .Net team, we have discovered that systems which have applied Windows Update KB3097966 can take 50% more time to install Exchange. The .Net team is working on a resolution to this and will include a fix in a future product update. In the meantime, customers who have deployed this Windows update can take a one-time action on their server before installing Exchange or a Cumulative Update to bring installation time back to normal. This procedure needs to be done once on every Exchange server running Windows Server 2012 R2. The command to execute is:

“%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”

Errors and warnings encountered running this command can be safely ignored provided the final exit status code of 0 is reported in the output.

Rollup 13 for Exchange Server 2010 Service Pack 3

This update rollup includes the following changes: 

  • A new Office 365 Hybrid Configuration wizard (HCW) is used in Exchange Server 2010 that was bundled in the Exchange Management Console (EMC). This change makes sure that EMC always runs the latest version of the HCW that contains up-to-date experience when the HCW is initiated from the EMC.
  • An updated Secure/Multipurpose Internet Mail Extensions (S/MIME) Control for Outlook Web Access. The control is signed to use aSHA-2 compliant code signing certificate. After you install this update, an updated version of the control on the Exchange server will be replaced. Users who have installed the earlier version of the control into a computer’s browser must log on to Outlook Web Access and download the updated control after the Exchange server updates are completed.
  • Exchange Server 2010 Service Pack 3 Update Rollup 13 (KB3141339) Download

Update Rollup 12 for Exchange Server 2010 Service Pack 3

Update Rollup 12 for Microsoft Exchange Server 2010 Service Pack 3 (SP3) was released on December 15, 2015. This update rollup fixesvarious issues. Before you install this update, you must remove all interim updates for Exchange Server 2010 SP3. Also, see this important information about how to install this update.

This update fixes the issues that are described in the following Microsoft Knowledge Base article:

This update also includes new daylight saving time (DST) updates for Exchange Server 2010 SP3. For more information about DST, go toDaylight Saving Time Help and Support Center.

Download Update Rollup 12 for Exchange Server 2010 SP3 (KB3096066).

Rollup 11 for Exchange Server 2010 Service Pack 3

Exchange Team has released Update Rollup 11 for Exchange Server 2010 Service Pack 3.

From the Microsoft Exchange Team blog:

This release provides an important fix for an Information Store crash when customers are upgrading their Lync server infrastructure to Skype for Business.

Exchange Server 2010 Service Pack 3 Update Rollup 11, is the minimum version of Exchange Server 2010 which will be supported in a coexistence deployment with Exchange Server 2016.

Update Rollup 11 can be downloaded here.

Translate »