Security Updates for Exchange 2013 & 2016

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.


9 thoughts on “Security Updates for Exchange 2013 & 2016

  1. This states that this isn’t a new patch, rather it’s fixing and then removing a security fix due to side effects from the prior update. “This security update was released to address a known issue in security update 4036108 in which customers that are using split DNS may encounter problems that affect Calendar Sharing. This update removes the fix for this vulnerability. ”

    So this update removes a security patch?


    • This fix replaces KB4036108, which is not available anymore.KB4036108 introduced a potential issue (for DNS). This new fix includes a fix for that side-effect (or doesn’t introduce it, depending on how you want to read it), apart from addressing the vulnerability.


      • We found the issue that mailflow was down. Logged into the server and found that the shell wouldn’t connect or the ECP didn’t work. All Exchange service were disabled and none would start. Tried enabling all the services and restarting but that didn’t work. Opened windows update history and found the update had failed. So my opinion is the update failed part way and left the Exchange server unusable. Tried to manually install the update, failed. So tried to run the CU7 update, failed. So my only option was backup restore. Even call Microsoft for support and stumped their tier one support group and it was elevated but we could wait for them to call back.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.