ADV190018: Security Updates Exchange 2013-2019 & 2010

Ex2013 LogoUpdated Jun13: Corrected Ex2010SP3RU28 link

A quick note that an update was released for current Exchange versions as well as Exchange 2010 related to the following advisory:

  • ADV190018 Microsoft Exchange Server Defense in Depth Update

Unfortunately – or perhaps understandably – the advisory doesn’t present any more details than, ‘”Microsoft has released an update for Microsoft Exchange Server that provides enhanced security as a defense in depth measure.”.

You can download the security updates here:

Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the update for Exchange 2016 CU12 to Exchange 2016 CU11. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-KB4503027-x64-en_CU11.msp.

As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

9 thoughts on “ADV190018: Security Updates Exchange 2013-2019 & 2010

  1. Michel, thank you for the notice. Can you verify the link to the 2010 SP3 UR28? When I follow it I get to UR27.

  2. Microsoft have released this as a critical update and it automatically tried to install on 2 of my exchange 2019 cu1 on server 2019. It failed to complete on both and it fails to uninstall, reinstall or let me reapply CU1 and AD topology service now crashes. Going to hack the registry entries for all exchange components back to RTM version which should let me reapply CU1. And nothing on the EHLO blog about the update. Very poor from Microsoft.

      • So copying \Setup\ServerRoles\Common from the CU1 ISO to \Exchange Server\bin should give you a working (hybrid version!) server again.

        Then check all the top level registry keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15
        and delete any “watermark” keys.

        Then Create a file “profile.ps1” in “C:\Windows\System32\WindowsPowerShell\v1.0” containing the following command: New-Alias Stop-SetupService Stop-Service

        Then run the security in depth update again from an elevated command prompt. Not Windows update.

        Good luck!

        • Hi!

          I also found this to be a temporary solution.
          In the past I had to apply the powershell profile part, as this was already screwed for the last security update.

          I will test the registry part as that is new for me. I’ve moved the mailboxes to another database.

          • When you update Exchange, a “watermark” registry key is created on each component while it is being updated. If an update fails and this key remains then you cant install further exchange updates until it’s deleted.

            Terrible design, and I have had this happen countless times in the past. And things like the fix required above have been around for years but still not handled by the installer.

            Also outrageous that there is zero about this on the EHLO blog. I can only assume that they have found vulnerabilities that are extremely serious and are keeping quiet about them until this update has been widely deployed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s