Exchange 2010-2016 Security Fixes

Microsoft released security updates to fix a remote code execution vulnerability in
Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Source

Important update for Azure Active Directory Connect – Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

Expta

MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

MS16-010: Security update in Microsoft Exchange Server to address spoofing: January 12, 2016

This security update resolves a vulnerability in Microsoft Exchange Server that could allow information disclosure if Outlook Web Access (OWA) doesn’t handle web requests, sanitize user input and email content correctly.

To learn more about the vulnerability, see Microsoft Security Bulletin MS16-010.

Download:
Microsoft Exchange Server 2013 Service Pack 1 (3124557)

Microsoft Exchange Server 2013 Cumulative Update 10 (3124557)

Microsoft Exchange Server 2013 Cumulative Update 11 (3124557)

Microsoft Exchange Server 2016 (3124557)

MS15-122 Security Update for Kerberos to Address Security Feature Bypass (Bitlocker)

This security update resolves a security feature bypass in Microsoft Windows. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.

This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section.

The update addresses the bypass by adding an additional authentication check that will run prior to a password change. For more information about the vulnerability, see theVulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3105256.

MS15-064 & Exchange 2013

Microsoft released a security update for Exchange 2013 to fix a new vulnerability. MS15-064 has a severity rating of ‘Important’.

Download the update for Exchange 2013 CU8 and Exchange 2013 SP1. More information:Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3062157)

KEMP Releases patch for Heartbleed Vulnerability

KEMP Releases patch for Heartbleed Vulnerability – CVE-2014-0160
Versions affected – v7.0-12a, v7.0-14a
Platforms affected – All LoadMasters
To confirm vulnerability you can visit  –  http://possible.lv/tools/hb/
Patches available at the locations below based on LoadMaster model. 

To patch to this version you must be running version 6.0-42 or later. If your firmware does not meet these requirements please contact support.

URLs:      
http://downloads.kemptechnologies.com/hotfixes/7.0-14b/7.0-Patch14b-LM2400-3600-5300-5400-5500-VLM200-2000-5000.bin

http://downloads.kemptechnologies.com/hotfixes/7.0-14b/7.0-Patch14b-LM2200-2600-EX-VLM100-1000.bin

http://downloads.kemptechnologies.com/hotfixes/7.0-14b/7.0-Patch14b-VLM-AZURE.bin
Username:    7.0-14b
Password:    8A5hR/5t0FVAI5+0

Update Rollup 8 for Exchange Server 2007 SP3

Update Rollup 8 for Exchange Server 2007 SP3 resolves the issues that are described in the following Microsoft Knowledge Base articles:

2699574 Microsoft Exchange Information Store service may stop responding when you perform a search on Exchange mailboxes in an Exchange Server 2007 environment

2701037 Events 4999 and 7034 are logged and the Microsoft Exchange Information Store service crashes on an Exchange Server 2007 mailbox server

2730089 Microsoft Exchange Information Store service may stop responding when you perform a search on Exchange mailboxes in an Exchange Server 2007 environment

2732525 Outlook keeps prompting you for credentials and incorrectly connects to an out-of-site global catalog after you install Update Rollup 6 for Exchange Server 2007 SP3.

Update Rollup 8 for Exchange Server 2007 SP3 also resolves the issue that is described in Microsoft Security Bulletin MS12-058.

For more information about Security Bulletin MS12-058, click the following article number to view the article in the Microsoft Knowledge Base: 2740358 MS12-058: Vulnerability in Microsoft Exchange Server WebReady document viewing could allow remote code execution: August 14, 2012

Download

Update Rollup 4 for Exchange Server 2010 SP2

Update Rollup 4 for Exchange Server 2010 SP2 resolves the issues that are described in the following Microsoft Knowledge Base (KB) articles:

2536846 Email messages sent to a mail-enabled public folder may be queued in a delivery queue on the Hub Transport server in an Exchange Server 2010 environment

2632409 Sent item is copied to the Sent Items folder of the wrong mailbox in an Exchange Server 2010 environment when a user is granted the Send As permission

2637915 "550 5.7.1" NDR when an email message is sent between tenant organizations in a multi-tenant Exchange Server 2010 environment

2677727 MRM cannot process retention policies on a cloud-based archive mailbox if the primary mailbox is in an on-premises Exchange Server 2010 organization

2685001 Retention policies do not work for the Calendar and Tasks folders in an Exchange Server 2010 SP1 environment

2686540 Journal report is not delivered to a journaling mailbox in an Exchange Server 2010 environment

2689025 Performance issues when you use the light version of Outlook Web App in an Exchange Server 2010 environment

2698571 Some email messages are not delivered when you set the MessageRateLimit parameter in a throttling policy in an Exchange Server 2010 environment

2698899 Add-ADPermission cmdlet together with a DomainController parameter fails in an Exchange Server 2010 environment

2700172 Recipient’s email address is resolved incorrectly to a contact’s email address in an Exchange Server 2010 environment

2701162 User A that is granted the Full Access permission to User B’s mailbox cannot see detailed free/busy information for User B in an Exchange Server 2010 environment

2701624 ItemSubject field is empty when you run the Search-MailboxAuditLog cmdlet together with the ShowDetails parameter in an Exchange Server 2010 environment

2702963 The "Open Message In Conflict" button is not available in the conflict notification message in Exchange Server 2010

2707242 The Exchange Information Store service stops responding on an Exchange Server 2010 server

2709014 EdgeTransport.exe process crashes intermittently on an Exchange Server 2010 server

2709935 EdgeTransport.exe process repeatedly crashes on an Exchange Server 2010 server

2713339 Multi-Mailbox Search feature returns incorrect results when you perform a complex discovery search in an Exchange Server 2010 environment

2713371 Throttling policy throttles all EWS applications in Exchange Server 2010

2719894 The Microsoft Exchange RPC Client Access service consumes 100 percent of CPU resources and stops responding on an Exchange Server 2010 Client Access server

2723383 Incorrect time zone in a notification when the Resource Booking Attendant declines a meeting request from a user in a different time zone in an Exchange Server 2010 environment

2724188 A subject that contains colons is truncated in a mixed Exchange Server 2003 and Exchange Server 2010 environment

726897 Event 14035 or Event 1006 is logged when Admin sessions are exhausted in an Exchange Server 2010 environment

Update Rollup 4 for Exchange Server 2010 SP2 also resolves the issue that is described in Microsoft Security Bulletin MS12-058.
For more information about Security Bulletin MS12-058, click the following article number to view the article in the Microsoft Knowledge Base:

2740358 MS12-058: Vulnerability in Microsoft Exchange Server WebReady document viewing could allow remote code execution: August 14, 2012

Download

Hyper-V Updates for Windows 2008 R2

Knowledge Base Article

Name

Date

Required?

KB974598

“You receive a "Stop 0x0000007E" error on the first restart after you enable Hyper-V on a Windows Server 2008 R2-based computer”

10/1/2009

Yes, if you encounter this error and your server uses a “C-state” (lower power state) that is supported by the processor, but is not supported by Hyper-V.

KB974909

“The network connection of a running Hyper-V virtual machine is lost under heavy outgoing network traffic on a Windows Server 2008 R2-based computer”

10/21/2009

No.

KB975354

“A Hyper-V update rollup package is available for a computer that is running Windows Server 2008 R2”

11/10/2009

Yes, if you are running a backup or restore solution.

KB975530

“Stop error message on an Intel Xeon 5500 series processor-based computer that is running Windows Server 2008 R2 and that has the Hyper-V role installed: "0x00000101 – CLOCK_WATCHDOG_TIMEOUT"

11/20/2009

Yes, if you are running Hyper-V on the affected hardware.

KB974672

“Virtual machines stop responding (hang) during startup and the Vmms.exe process crashes on a Windows Server 2008 R2 computer that has the Hyper-V role installed“

10/14/2009

No.

KB977894

“MS10-010: Vulnerability in Windows Server 2008 Hyper-V could allow denial of service”

2/9/2010

Yes.

KB980856

“Stop error in Windows Server 2008 R2: "0x000000CA PNP_DETECTED_FATAL_ERROR"”

3/12/2010

Yes, if you store VHDs on non-PNP disks.

KB981618

“The computer stops responding or restarts during the Hyper-V Live Migration process in Windows Server 2008 R2” (relates to AMD Errata 383)

3/27/2010

Yes, if you are running Hyper-V on AMD processors.

KB 981836

“Network connectivity for a Windows Server 2003-based Hyper-V virtual machine is lost temporarily in Windows Server 2008 R2”

4/28/2010

Yes, if the server running Hyper-V has a virtual machine that is running Windows Server 2003.

KB981791

“"STOP: 0x0000001a" error message on a computer that has an Intel Westmere processor together with the Hyper-V role installed on Windows Server 2008 or on Windows Server 2008 R2”

5/5/2010

Yes, if you are running Hyper-V on Intel Westmere processors.

Source: http://technet.microsoft.com/en-us/library/ff394763(WS.10).aspx