Microsoft released security updates to fix a remote code execution vulnerability in
Exchange Server. The related knowledge base article is KB4018588.
More information is contained in the following Common Vulnerabilities and Exposures articles:
- CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
- CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
- CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability
Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:
As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.
The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.
Learn about the new paths for IT pros:
- PowerShell: Beginner. Step up your IT pro game with foundational knowledge of PowerShell. Learn to use the command line to solve an issue, automate your infrastructure, and more.
- PowerShell: Advanced. Go beyond the basics with scripting, reusable tools, and cmdlets—all taught by the architect and inventor of PowerShell, Jeffrey Snover.
- Security for IT Pros. Beef up your security know-how with practical tips and tricks from the Microsoft security team.
- DevOps for IT Pros. Your devs need you! Learn more about application performance and support monitoring with Microsoft Azure.
- Introduction to Windows Server 2012 R2. Command this leading-edge server with tutorials on installation, roles, Microsoft Active Directory, storage, performance management, and maintenance.
- Windows Server 2012 R2 Security and Identity. Build upon your security knowledge with Windows Server 2016 fundamentals, like Active Directory, basic PKI, and BYOD concepts.
- Windows Server 2012 R2 Compute. Discover everything you need to know about virtualization and storage with courses on IP address management, server networking, Microsoft Hyper-V, and more.
Exchange Team announcing an update to our support policy for Windows Server 2016 and Exchange Server 2016. At this time we do not recommend customers install the Exchange Edge role on Windows Server 2016. We also do not recommend customers enable antispam agents on the Exchange Mailbox role on Windows Server 2016 as outlined in Enable antispam functionality on Mailbox servers.
Why are we making this change?
In our post Deprecating support for SmartScreen in Outlook and Exchange, Microsoft announced we will no longer publish content filter updates for Exchange Server. We believe that Exchange customers will receive a better experience using Exchange Online Protection (EOP) for content filtering. We are also making this recommendation due to a conflict with the SmartScreen Filters shipped for Windows, Microsoft Edge and Internet Explorer browsers. Customers running Exchange Server 2016 on Windows Server 2016 without KB4013429 installed will encounter an Exchange uninstall failure when decommissioning a server. The failure is caused by a collision between the content filters shipped by Exchange and Windows which have conflicting configuration information in the Windows registry. This collision also impacts customers who install KB4013429 on a functional Exchange Server. After the KB is applied, the Exchange Transport Service will crash on startup if the content filter agent is enabled on the Exchange Server. The Edge role enables the filter by default and does not have a supported method to permanently remove the content filter agent. The new behavior introduced by KB4013429, combined with our product direction to discontinue filter updates, is causing us to deprecate this functionality in Exchange Server 2016 more quickly if Windows Server 2016 is in use.
What about other operating systems supported by Exchange Server 2016?
Due to the discontinuance of SmartScreen Filter updates for Exchange server, we encourage all customers to stop relying upon this capability on all supported operating systems. Installing the Exchange Edge role on supported operating systems other than Windows Server 2016 is not changed by today’s announcement. The Edge role will continue to be supported on non-Windows Server 2016 operating systems subject to the operating system lifecycle outlined at https://support.microsoft.com/lifecycle.
Help! My services are already crashing or I want to proactively avoid this
If you used the Install-AntiSpamAgents.ps1 to install content filtering on the Mailbox role:
- Find a suitable replacement for your email hygiene needs such as EOP or other 3rd party solution
- Run the Uninstall-AntiSpamAgents.ps1 from the \Scripts folder created by Setup during Exchange installation
If you are running the Edge role on Windows Server 2016:
- Delay deploying KB4013429 to your Edge role or uninstall the update if required to restore service
- Deploy the Edge role on Windows Server 2012 or Windows Servers 2012R2 (Preferred)
Support services is available for customers who may need further assistance