MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

Cumulative Update 2 for Exchange Server 2016

.Net 4.6.1 Support

Support for .Net 4.6.1 is now available for Exchange Server 2016 and 2013 with these updates. We fully support customers upgrading servers running 4.5.2 to 4.6.1 without removing Exchange. We recommend that customers apply Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 before upgrading .Net FrameWork. Servers should be placed in maintenance mode during the upgrade as you would do when applying a Cumulative Update. Support for .Net 4.6.1 requires the following post release fixes for .Net as well.

Note: .Net 4.6.1 installation replaces the existing 4.5.2 installation. If you attempt to roll back the .Net 4.6.1 update, you will need to install .Net 4.5.2 again.

AutoReseed Support for BitLocker

Beginning with Exchange 2013 CU13 and Exchange 2016 CU2, the Disk Reclaimer function within AutoReseed supports BitLocker. By default, this feature is disabled. For more information on how to enable this functionality, please seeEnabling BitLocker on Exchange Servers.

SHA-2 Support for Self-Signed Certificates

The New-ExchangeCertificate cmdlet has been updated to produce a SHA-2 certificate for all self-signed certificates created by Exchange. Creating a SHA-2 certificate is the default behaviour for the cmdlet. Existing certificates will not automatically be regenerated but newly installed servers will receive SHA-2 certificates by default. Customers may opt to replace existing non-SHA2 certificates generated by previous releases as they see fit.

Migration to Modern Public Folder Resolved

The issue reported in KB3161916 has been resolved.

 

This cumulative update fixes the following issues:

This cumulative update also fixes the issues that are described in the KB 3160339 MS16-079: Security update for Microsoft Exchange: June 14, 2016 and KB 3134844 Cumulative Update 1 for Exchange Server 2016

Microsoft Knowledge Base articles.
This update also includes new daylight saving time (DST) updates for Exchange Server 2016. For more information about DST, go to Daylight Saving Time Help and Support Center.

Download: https://www.microsoft.com/en-us/download/details.aspx?id=52968

Cumulative Update 1 for Exchange Server 2016

Exchange Team released:  Cumulative Update 1 for Exchange Server 2016

Issues that the cumulative update fixes

KB 3139730 Edge Transport service crashes when you view the properties of a poison message in Exchange Server 2016
KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
KB 3135688 Preserves the web.config file for Outlook Web App when you apply a cumulative update in Exchange Server 2016
KB 3135601 Cyrillic characters are displayed as question marks when you run the “Export-PublicFolderStatistics.ps1” script in an Exchange Server 2016 environment
KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016

Exchange Server 2016 Cumulative Update 1 (KB3134844), Download, UM Lang Packs

Cumulative Update 12 for Exchange Server 2013

Exchange team released CU12 for Exchange 2013

Issues that this cumulative update fixes:

KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes

Microsoft Exchange Server User Monitor For Exchange 2013 and 2016

        Use the Microsoft Exchange Server User Monitor to gather real-time data to better understand current client usage patterns, and to plan for future work.
        Administrators can view details on server resource utilization as reported through server-side tracing. This tool works with Microsoft Exchange Server 2013 and 2016.
        The tool is provided as-is. At this time, there are no updates or patches planned for future release. No formal support is provided for the tool. Some minimal support may be provided by Microsoft but not all reported issues will be able to be addressed or resolved.

        Exchange Server User Monitor

      Exchange Analyzer is a great tool for every Exchange Admin

      Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 organization and reports on compliance with best practices.

      Exchange Analyzer is a community project, and is currently a beta release seeking feedback and results from real world environments.

      To read the latest information about Exchange Analyzer click here to visit the project’s ReadMe on Github. More information can also be found in the Exchange Analyzer Wiki.

      Installation Instructions

      1. Download the latest Zip file

      2. Extract or copy the following files and folders to a computer that has the Exchange 2013 or 2016 management shell installed. For example, place all of the files and folders in a C:\Scripts\ExchangeAnalyzer folder.

        • Run-ExchangeAnalyzer.ps1
        • \Data
        • \Modules
        • \Tests

        3. Copy the folders in the \Modules folder to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\

        4. Open a new Exchange Management Shell

        Important Note: if you are updating your copy of Exchange Analyzer please make sure you copy the updated module in step 3.

        Running Exchange Analyzer

        To run the Exchange Analyzer open an Exchange management shell, navigate to the folder with the script files (e.g. C:\Scripts\ExchangeAnalyzer) and run:

        Interpreting Results

        Exchange Analyzer produces a HTML report with a simple “Passed/Failed” indicator and a list of passed and/or failed objects. Links to more info are provided to assist you with further interpretation of the report.

        Feedback and Questions

        Before submitting feedback or questions please review the Exchange Analyzer FAQ.

        You can help with bug fixes by submitting issues on Github. If you would like to contribute fixes or other code please review theExchange Analyzer Wiki.

        You can also send email to feedback@exchangeanalyzer.com.

        Change Log

        14/01/2016 – v0.1.0-Beta.1

        • First public beta release

        28/01/2016 – v0.1.1-Beta.2

        • Second beta release. Details of changes are here.

        image

        MS16-010: Security update in Microsoft Exchange Server to address spoofing: January 12, 2016

        This security update resolves a vulnerability in Microsoft Exchange Server that could allow information disclosure if Outlook Web Access (OWA) doesn’t handle web requests, sanitize user input and email content correctly.

        To learn more about the vulnerability, see Microsoft Security Bulletin MS16-010.

        Download:
        Microsoft Exchange Server 2013 Service Pack 1 (3124557)

        Microsoft Exchange Server 2013 Cumulative Update 10 (3124557)

        Microsoft Exchange Server 2013 Cumulative Update 11 (3124557)

        Microsoft Exchange Server 2016 (3124557)

        Cumulative Update 11 for Exchange Server 2013

        Cumulative Update 11 for Microsoft Exchange Server 2013 was released on December 15, 2015. Several nonsecurity issues are fixed in this cumulative update or a later cumulative update for Exchange Server 2013.

        This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base articles:

        This update also includes new daylight saving time (DST) updates for Exchange Server 2013. For more information about DST, go to Daylight Saving Time Help and Support Center.

         

        Download Cumulative Update 11 for Exchange Server 2013 (KB3099522) now.

        Cumulative Update 10 for Exchange Server 2013

        Exchange Team has released Cumulative Update 10 for Exchange Server 2013.

        From the Microsoft Exchange Team blog:

        The release includes fixes for customer reported issues, minor product enhancements and previously released security bulletins, including MS15-103.

        Cumulative Update 10 does not include updates to Active Directory Schema, but does include additional RBAC definitions requiring PrepareAD to be executed prior to upgrading any servers to CU10. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

        The updates released today are important pre-requisites for customers with existing Exchange deployments who will deploy Exchange Server 2016.Cumulative Update 10 is the minimum version of Exchange Server 2013 which will co-exist with Exchange Server 2016.

        For the full list of fixes check: KB3078678

        Cumulative Update 10 is available for download here.

        Cumulative Update 9 for Exchange Server 2013

        Exchange Team released Cumulative Update 9 for Exchange Server 2013

        Fixes:

        Translate »