UPDATE: The MS13-061 security update for Exchange 2013 CU1 & CU2 has been pulled until further notice.If you have installed it, there are issues with it which can be fixed (link). Microsoft recommends not installing MSI13-061 at the moment and disable Data Loss Prevention and WebReady as described in the Oracle Outside In Contains Multiple Exploitable Vulnerabilities section in the MS13-061 bulletin.

Today the Exchange Team released the first Security Update for Exchange 2013. This security update KB2874216 fixes the issue described in Microsoft Security Bulletin MS13-061.

As mentioned in an earlier article, security fixes are Cumulative Update level specific. How that would turn out in practice remained to be seen at the time of writing that article, but at the moment it means there are two different versions of the security update, one patch file for CU1 and one for CU2 (or the re-release of CU2 actually, version 15.0.712.24 – more information on that here). I assume the .MSP format limits the ability to merge the two and let it make an intelligent decision on what to install.

Be warned that both files carry the same file name, I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2013-KB2874216-x64-en-CU2.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

You can download the security updates here:

• Security Update for Exchange Server 2013 CU1 (v15.0.620.32)
• Security Update for Exchange Server 2013 CU2 (v15.0.712.26)