Microsoft Exchange Memory Corruption Vulnerability

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Download:

Product Link
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 21

4091243

Microsoft Exchange Server 2013 Cumulative Update 19

4092041

Microsoft Exchange Server 2013 Cumulative Update 20

4092041

Microsoft Exchange Server 2013 Service Pack 1

4092041

Microsoft Exchange Server 2016 Cumulative Update 8

4092041

Microsoft Exchange Server 2016 Cumulative Update 9

4092041

Exchange Server 2016 online training courses now available

Microsoft announced the release of four new edX online training courses for Microsoft Exchange Server 2016. If you plan to implement Exchange Server 2016 or Exchange Online, or if you want to make sure that your implementation was done right, the Exchange Server 2016 online training courses are for you.

Course offerings include:

Each Exchange course is targeted to the IT professional audience, with hands-on labs that reinforce student learning. Students are graded on completing each module, as well as on module assessment exams and a final course exam. A Certificate can be earned by completing each course with a passing grade. Courses are self-paced, allowing IT professionals to build Exchange skills at their own pace as their schedules permit.

The first course, CLD208.1x: Microsoft Exchange Server 2016 Infrastructure, is free. The remaining three courses are for-fee courses at $49 USD per course.

edX is a massive open online course (MOOC) provider that was developed by MIT and Harvard University. The Microsoft Learning Experiences team has created a wide range of online training courses for edX, and these four Exchange courses are the team’s latest Office releases. They are the first of seven courses that cover the core skills an Exchange administrator needs to proficiently design, implement and manage an Exchange 2016 and Exchange Online implementation.

Source

CPU usage is high when you use RPC over HTTP protocol in Windows 8.1 or Windows Server 2012 R2

Consider the following scenario that takes Microsoft Exchange Server 2013 as an example:

  • The Mailbox server role is enabled in Exchange Server 2013.
  • Exchange mailboxes use extended MAPI to communicate with the Exchange Server.
  • The extended MAPI uses Microsoft RPC over HTTP (remote procedure call over HTTP) protocol.
  • Many clients (such as mobile devices) are dropping connections to the Exchange Server.

In this scenario, the CPU usage on the Exchange server may reach 100 percent.\

Hotfix: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3041832&kbln=en-US

MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

Microsoft Exchange Server User Monitor For Exchange 2013 and 2016

        Use the Microsoft Exchange Server User Monitor to gather real-time data to better understand current client usage patterns, and to plan for future work.
        Administrators can view details on server resource utilization as reported through server-side tracing. This tool works with Microsoft Exchange Server 2013 and 2016.
        The tool is provided as-is. At this time, there are no updates or patches planned for future release. No formal support is provided for the tool. Some minimal support may be provided by Microsoft but not all reported issues will be able to be addressed or resolved.

        Exchange Server User Monitor

      Beta Exam 345: Designing and Deploying Microsoft Exchange Server 2016 NOW AVAILABLE

      Are you an expert in designing and managing Exchange Server? Are you responsible for the Exchange Server 2016 messaging environment in an enterprise environment? If so, here’s your chance to start down the path to the MCSE certification for free AND help us improve the quality of this exam!

      We are opening up 350 beta seats for this beta exam (exam number: 70-345)… This means you can take the exam for free!! BUT… the seats are limited to first come, first served basis–so, register today (these codes will only work through February 12, 2016, meaning you have to register AND take the exam on or before that date)–and we need you take the exam as soon as possible so we can leverage your comments, feedback, and exam data in our evaluation of the quality of the questions. The sooner you take the exam, the more likely it is that we will be able to use your feedback to make improvements to the exam. This is your chance to have a voice in the questions we include on the exam when it goes live. 

      To prepare for the exam, review our prep guide and practice the skills listed: https://www.microsoft.com/en-us/learning/exam-70-345.aspx. To prepare for this beta exam, check out my recent blog for ideas: https://borntolearn.mslearn.net/b/weblog/archive/2015/12/31/just-how-does-one-prepare-for-beta-exams-without-preparation-materials.

      ***Register for the exam at the same site and use code EXCH2016010B to take it for free, but these codes are only valid for exam dates on or before Feb. 12, 2016. Remember: There are a limited amount of spots, so when they’re gone, they’re gone. You should also be aware that there are some country limitations where the beta code will not work (e.g., Turkey, Pakistan, India, China, Vietnam); you will not be able to take the beta exam for free in those countries.

      Also, keep in mind that this exam is in beta, which means that you will not be scored immediately. You will receive your final score and passing status once the exam is live.

      Well…what are you waiting for? Register before all the seats are gone!

      https://borntolearn.mslearn.net/b/weblog/archive/2016/01/13/designing-and-deploying-microsoft-exchange-server-2016-beta-exam-now-available

      MS16-010: Security update in Microsoft Exchange Server to address spoofing: January 12, 2016

      This security update resolves a vulnerability in Microsoft Exchange Server that could allow information disclosure if Outlook Web Access (OWA) doesn’t handle web requests, sanitize user input and email content correctly.

      To learn more about the vulnerability, see Microsoft Security Bulletin MS16-010.

      Download:
      Microsoft Exchange Server 2013 Service Pack 1 (3124557)

      Microsoft Exchange Server 2013 Cumulative Update 10 (3124557)

      Microsoft Exchange Server 2013 Cumulative Update 11 (3124557)

      Microsoft Exchange Server 2016 (3124557)

      Cumulative Update 11 for Exchange Server 2013

      Cumulative Update 11 for Microsoft Exchange Server 2013 was released on December 15, 2015. Several nonsecurity issues are fixed in this cumulative update or a later cumulative update for Exchange Server 2013.

      This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base articles:

      This update also includes new daylight saving time (DST) updates for Exchange Server 2013. For more information about DST, go to Daylight Saving Time Help and Support Center.

       

      Download Cumulative Update 11 for Exchange Server 2013 (KB3099522) now.

      Translate »