MS16-010: Security update in Microsoft Exchange Server to address spoofing: January 12, 2016

This security update resolves a vulnerability in Microsoft Exchange Server that could allow information disclosure if Outlook Web Access (OWA) doesn’t handle web requests, sanitize user input and email content correctly.

To learn more about the vulnerability, see Microsoft Security Bulletin MS16-010.

Download:
Microsoft Exchange Server 2013 Service Pack 1 (3124557)

Microsoft Exchange Server 2013 Cumulative Update 10 (3124557)

Microsoft Exchange Server 2013 Cumulative Update 11 (3124557)

Microsoft Exchange Server 2016 (3124557)

Cumulative Update 10 for Exchange Server 2013

Exchange Team has released Cumulative Update 10 for Exchange Server 2013.

From the Microsoft Exchange Team blog:

The release includes fixes for customer reported issues, minor product enhancements and previously released security bulletins, including MS15-103.

Cumulative Update 10 does not include updates to Active Directory Schema, but does include additional RBAC definitions requiring PrepareAD to be executed prior to upgrading any servers to CU10. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

The updates released today are important pre-requisites for customers with existing Exchange deployments who will deploy Exchange Server 2016.Cumulative Update 10 is the minimum version of Exchange Server 2013 which will co-exist with Exchange Server 2016.

For the full list of fixes check: KB3078678

Cumulative Update 10 is available for download here.