A quick heads-up as during my vacation Microsoft released security updates for supported releases of Exchange Server 2016 and 2013 as well as Exchange Server 2010.
The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:
- CVE-2018-8302 Microsoft Exchange Memory Corruption Vulnerability
- CVE-2018-8374 Microsoft Exchange Server Tampering Vulnerability (Exchange 2016 only)
You can download the security updates here:
- Security Update for Exchange Server 2016 CU10 (v15.1.1531.6, KB4340731)
- Security Update for Exchange Server 2016 CU9 (v15.1.1466.10, KB4340731)
- Security Update for Exchange Server 2013 CU21 (v15.0.1395.7, KB4340731)
- Security Update for Exchange Server 2013 CU20 (v15.0.1367.9, KB4340731)
- Exchange 2010 SP3 Rollup 23 (v14.3.417.1, KB4340733)
- Be advised that Exchange 2010 SP3 Rollup 23, like recent Cumulative Updates of Exchange 2016 and 2013, requires Visual C++ Redistributable Packages for Visual Studio 2013 (download).
- KB4340731 supersedes the previous security update KB4092041 for Exchange 2016 and Exchange 2013.
Be advised that for Exchange 2013 and 2016, Security Updates are Cumulative Update level specific. While the downloaded security updates may carry the same name, the files are different and you cannot apply the downloaded security update file for Exchange 2016 CU8 to Exchange 2016 CU9. I suggest adding some form of identification of the Cumulative Update to the file name when you archive it, e.g. Exchange2016-KB4340731-x64-en-CU10.msp.
As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.