Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.
This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.
You can download the security updates here:
- Exchange Server 2016 CU7 (v15.1.1261.37)
- Exchange Server 2016 CU6 (v15.1.1034.33)
- Exchange Server 2013 CU18 (v15.0.1347.3)
- Exchange Server 2013 CU17 (v15.0.1320.7)
Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.
Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.
Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.