Microsoft published security fixes for the issue described in bulletin MS17-105. Fixes have been released for the following product levels:
- Exchange 2013 SP1, kb4013242, 15.0.847.53
- Exchange 2013 CU14, kb4013242, 15.0.1236.6
- Exchange 2016 CU3, kb4013242, 15.1.544.30
You are reading it correctly: the later Cumulative Updates are not affected. Earlier builds will not receive a security fix, as support is provided up to N-2 generation builds. Reason for Exchange 2013 SP1 being in there is that Service Packs are on a different support scheme.
Note that this Rollup or security fix replaces MS16-108 (kb3184736) – you can install MS13-105 over installations containing this security fix (no need to uninstall it first).
Strange, that 2010 is not affected..
Not all details have been published yet, but since the vulnerability allows one “to inject arbitrary web script or HTML via a crafted email or chat client”, I assume it’s in the OWA code of Ex2013/Ex2016 (which are to some level similar), and not in Ex2010’s OWA’s code (which is completely different).
Most probably, but I am not exchange expert anyway 🙂 I just got used to seeing the name of all actively supported version if any MSFT security issue affects a certain product line.