Microsoft Exchange Memory Corruption Vulnerability

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Download:

Product Link
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 21

4091243

Microsoft Exchange Server 2013 Cumulative Update 19

4092041

Microsoft Exchange Server 2013 Cumulative Update 20

4092041

Microsoft Exchange Server 2013 Service Pack 1

4092041

Microsoft Exchange Server 2016 Cumulative Update 8

4092041

Microsoft Exchange Server 2016 Cumulative Update 9

4092041

Exchange 2016/2013/2010 Updates March 2017

Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

  • If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
  • If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5

15.1.845.34

KB4012106

Download

UMLP

Exchange 2013 CU16

15.0.1293.2

KB4012112

Download

UMLP

Exchange 2010 SP3 Rollup 17

14.3.352.0

KB4011326

Download

 

Exchange 2007 SP3 Rollup 23

8.3.517.0

KB4011325

Download

 

Exchange 2016 CU5 fixes:

  • KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
  • KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
  • KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
  • KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
  • KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
  • KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Notes:

Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.

When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.

Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.

When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Source

Exchange Team has released Quarterly Exchange Updates

– A new Outlook on the web compose experience
– Support for .Net 4.6.2
– Change to Pre-Requisites installed by Setup
– Update on Windows Server 2016 support KB3206632
– Latest time zone updates
– Important Public Folder fix included in these releases

Exchange Server 2016 Cumulative Update 4 (KB3177106), Download, UM Lang Packs
Exchange Server 2013 Cumulative Update 15 (KB3197044), Download, UM Lang Packs
Exchange Server 2010 Service Pack 3 Update Rollup 16 (KB3184730), Download
Exchange Server 2007 Service Pack 3 Update Rollup 22 (KB3184712), Download

MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

Rollup 13 for Exchange Server 2010 Service Pack 3

This update rollup includes the following changes: 

  • A new Office 365 Hybrid Configuration wizard (HCW) is used in Exchange Server 2010 that was bundled in the Exchange Management Console (EMC). This change makes sure that EMC always runs the latest version of the HCW that contains up-to-date experience when the HCW is initiated from the EMC.
  • An updated Secure/Multipurpose Internet Mail Extensions (S/MIME) Control for Outlook Web Access. The control is signed to use aSHA-2 compliant code signing certificate. After you install this update, an updated version of the control on the Exchange server will be replaced. Users who have installed the earlier version of the control into a computer’s browser must log on to Outlook Web Access and download the updated control after the Exchange server updates are completed.
  • Exchange Server 2010 Service Pack 3 Update Rollup 13 (KB3141339) Download

Update Rollup 12 for Exchange Server 2010 Service Pack 3

Update Rollup 12 for Microsoft Exchange Server 2010 Service Pack 3 (SP3) was released on December 15, 2015. This update rollup fixesvarious issues. Before you install this update, you must remove all interim updates for Exchange Server 2010 SP3. Also, see this important information about how to install this update.

This update fixes the issues that are described in the following Microsoft Knowledge Base article:

This update also includes new daylight saving time (DST) updates for Exchange Server 2010 SP3. For more information about DST, go toDaylight Saving Time Help and Support Center.

Download Update Rollup 12 for Exchange Server 2010 SP3 (KB3096066).

Rollup 11 for Exchange Server 2010 Service Pack 3

Exchange Team has released Update Rollup 11 for Exchange Server 2010 Service Pack 3.

From the Microsoft Exchange Team blog:

This release provides an important fix for an Information Store crash when customers are upgrading their Lync server infrastructure to Skype for Business.

Exchange Server 2010 Service Pack 3 Update Rollup 11, is the minimum version of Exchange Server 2010 which will be supported in a coexistence deployment with Exchange Server 2016.

Update Rollup 11 can be downloaded here.

Rollup 10 for Exchange Server 2010 Service Pack 3

Exchange Team released Rollup 10 for Exchange Server 2010 Service Pack 3

Fixes:

KB 3069055 Various DAG maintenance scripts do not work in an Exchange Server 2010 environment
KB 3057422 “MapiExceptionNoAccess: Unable to query table rows” error and some mailboxes cannot be moved
KB 3056750 Exchange ActiveSync application pool crashes in an Exchange Server 2010 environment
KB 3054644 “The item no longer exists” error when you access an archive mailbox in Outlook Web App in Exchange Server 2010
KB 3051284 Event ID 4999 is logged and MSExchangeServicesAppPool crashes in an Exchange Server 2010 environment
KB 3049596 Event ID 4999 is logged and remote procedure call Client Access service crashes in an Exchange Server 2010 environment
KB 2964344 MSExchangeRPC service stops working intermittently in Exchange Server 2010

Download

Rollup 9 for Exchange Server 2010 Service Pack 3

This update resolves the issues that are described in the following Microsoft Knowledge Base (KB) articles:

This update also includes new daylight saving time (DST) updates for Exchange Server 2010 SP3. For more information about DST, go to the following Microsoft website:

Daylight saving time Help and Support Center

Download Update Rollup 9 for Exchange Server 2010 SP3 (KB3030085).

Translate »