MS13-06 Security Fix for Exchange 2013

Today the Exchange Team released the first Security Update for Exchange 2013. This security update KB2874216 fixes the issue described in Microsoft Security Bulletin MS13-061.

As mentioned in an earlier article, security fixes are Cumulative Update level specific. How that would turn out in practice remained to be seen at the time of writing that article, but at the moment it means there are two different versions of the security update, one for CU1 and one for CU2 (or the re-release of CU2 actually, version 15.0.712.24).

Be warned that both files carry the same file name, I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2013-KB2874216-x64-en-CU2.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

You can download the security updates here:

· Security Update for Exchange Server 2013 CU1 (v15.0.620.32)

· Security Update for Exchange Server 2013 CU2 (v15.0.712.26)

Advertisements

Exchange 2010 SP3 Rollup 2 & SP2 RU7

Today the Exchange Team released Rollup 2 for Exchange Server 2010 Service Pack 3 (KB2866475). This update raises Exchange 2010 version number to 14.3.158.1.

Here’s a list of fixes contained in this Rollup:

o 2837926 Error message when you try to activate a passive copy of an Exchange Server 2010 SP3 database: "File check failed"

o 2841150 Cannot change a distribution group that contains more than 1,800 members by using ECP in OWA in an Exchange Server 2010 environment

o 2851419 Slow performance in some databases after Exchange Server 2010 is running continuously for at least 23 days

o 2853899 Only the first page of an S/MIME signed or encrypted message is printed by using OWA in an Exchange Server 2010 environment

o 2854564 Messaging Records Management 2.0 policy can’t be applied in an Exchange Server 2010 environment

o 2855083 Public Folder contents are not replicated successfully from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010

o 2859596 Event ID 4999 when you use a disclaimer transport rule in an environment that has Update Rollup 1 for Exchange Server 2010 SP3 installed

o 2860037 iOS devices cannot synchronize mailboxes in an Exchange Server 2010 environment

o 2861118 W3wp.exe process for the MSExchangeSyncAppPool application pool crashes in an Exchange Server 2010 SP2 or SP3 environment

o 2863310 You cannot send an RTF email message that contains an embedded picture to an external recipient in an Exchange Server 2010 SP3 environment

o 2863473 Users cannot access Outlook mailboxes that connect to a Client Access server array in an Exchange Server 2010 environment

o 2866913 Outlook prompts to send a response to an additional update even though the response request is disabled in an Exchange Server 2010 environment

o 2870028 EdgeTransport.exe crashes when an email message without a sender address is sent to an Exchange Server 2010 Hub Transport server

o 2871758 EdgeTransport.exe process consumes excessive CPU resources on an Exchange Server 2010 Edge Transport server

o 2873477 All messages are stamped by MRM if a deletion tag in a retention policy is configured in an Exchange Server 2010 environment

In addition to these fixes, this Rollup also includes a fix for the security issue described in Microsoft Security Bulletin MS13-061.

Notes:

· As of Service Pack 2 Rollup 4, its no longer required to disable/re-enable ForeFront Protection for Exchange using the fscutility to be able to install the Rollup properly. However, if you want to remain in control, you can disable ForeFront before installing the Rollup using fscutility /disable and re-enable it afterwards using fscutility /enable;

· Rollups are cumulative, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP3 Rollup 2 here.

Exchange 2010 SP2
For those still on Exchange 2010 SP2, Microsoft released Exchange 2010 SP2 Rollup 7. This Rollup only includes the MS13-061 security fix and raises Exchange 2010 SP2’s version number to 14.2.375.0, can be downloaded here; the related KB article is KB2874216.

Exchange 2007 SP3 Rollup 11

Today the Exchange Team released Rollup 11 for Exchange Server 2007 Service Pack 3 (KB2873746). This update raises Exchange 2007 version number to 8.3.327.1.

Here’s the list of changes included in this Rollup:

· 2852663 The last public folder database on Exchange 2007 cannot be removed after migrating to Exchange 2013

· 2688667 W3wp.exe consumes excessive CPU resources on Exchange Client Access servers when users open recurring calendar items in mailboxes by using OWA or EWS

In addition to these fixes, this Rollup also includes a fix for the security issue described in Microsoft Security Bulletin MS13-061.

Notes:

· When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command;

· Rollups are cumulative, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

You can download Exchange 2007 SP3 Rollup 11 here.