Note (18sep2016): Be advised that there are reports on the security fix for Exchange 2016 CU2 leaving the system in a suboptimal state, like not re-enabling services. For now, the reports contain possible workarounds for those situations

It seems every once in a while, vulnerabilities are discovered in the Oracle libraries, licensed by Microsoft for Microsoft Exchange. For september, it is that time again, with a potential issue which allows remote code execution by means of a attachment which is to be handled by the library.

The related security bulletin is MS16-108 (KB3185883), which corrects Exchange behavior for :

• parsing certain unstructured file formats.
• handling open redirect requests.
• handling Microsoft Outlook meeting invitation requests.

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security update for the following product levels:

• Exchange 2007 SP3
  Rollup 21 for Exchange Server 2007 SP3 (KB3184711), v8.3.485.1
• Exchange 2010 SP3
  Rollup 15 For Exchange 2010 SP3 (KB3184728), v14.3.319.2
• Exchange 2013 SP1
  Security Update For Exchange Server 2013 SP1 (KB3184736), v15.0.847.50
• Exchange 2013 CU12
  Security Update For Exchange Server 2013 CU12 (KB3184736), v15.0.1178.9
• Exchange 2013 CU13
  Security Update For Exchange Server 2013 CU13 (KB3184736), v15.0.1210.6
• Exchange 2016 CU1
  Security Update For Exchange Server 2016 CU1 (KB3184736), v15.1.396.37
• Exchange 2016 CU2
  Security Update For Exchange Server 2016 CU2 (KB3184736), v15.1.466.37

Note that Rollups only address the vulnerabilities mentioned in security bulletin, and this bulletin replaces updates the rollups and security updates of MS16-079.

The issue is deemed critical, which means organizations are advised the implement the security fix at their earliest convenience. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

The Exchange Versions, Builds and Dates page has been updated with the above information as well.

Episode 60 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by John Cook, Tom Arbuthnot, and special guest, Ken Lasko. Editing was done by Andrew Price.

Topics discussed in this episode are:

• PowerShell is open sourced and is available on Linux

Exchange Topics

• Outlook for iOS & Android Is Dumping AWS and Heading for an All-Microsoft Infrastructure in Q3
• Microsoft Partnership – Litmus
• A Practical Look at Exchange Database Internals — Part 1

Office 365

• Interested in road map for #Skype4B Online
• Veeam Backup for Microsoft Office 365
• Microsoft acquisition of Genee to accelerate intelligent experiences in Office 365
• Migrate traditional Distribution Groups to Office 365 Groups
• Office 365 Service Assurance Dashboard

Lync/Skype for Business Topics

• Skype Dialing Rule Optimizer (Ken Lasko)
• Some #Skype4B #Polycom #SLA oddities for everyone to enjoy.
• Skype for Business Hybrid Deployment Guide
• #Skype4B DIY Room System! 
• 1st episode of the Modality APAC Perspective monthly video series is up!
• #Skype4B Online keeps getting updated. So does my policy spreadsheet.  Know your options!
• Skype for Business 2016 clients only support new (V16) ICE
• Careful when clicking on links in Skype for Business – MSitPros Blog
• Microsoft to offer Skype PSTN conferencing to Australia in September

Events

• Microsoft Ignite
• UC Day mailing list for more information about a dedicated UC and cloud conference happening on 24th October in the heart of the United Kingdom

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

The Exchange Team released the wave of Exchange updates for Exchange 2016 down to Exchange 2007.

Major changes in contained in these updates:

• .NET 4.6.1 support for Exchange Server 2013 and 2016.
  • When upgrading Exchange, install the CU before upgrading to .NET Framework 4.6.1. For greenfield deployments, you should be able to install the .NET Framework 4.6.1 straightaway, prior to installing Exchange; however, no official statement on that yet.
  • When deploying .NET Framework 4.6.1, the following OS dependent fixes are required as well: KB3146716 for WS2008/WS2008R2, KB3146714 for WS2012, and KB3146715 for WS2012R2
• BitLocker support for AutoReseed. More information here.
• By default, SHA-2 certificates are generated. This includes the self-signed certificates as well.
• Like Exchange 2016 CU1, Exchange 2016 CU2 is an uncompressed ISO file. If bandwidth is scarce where you will be deploying, be sure to download this 6GB file upfront.
• Not mentioned in the KB’s list of fixes for Exchange 2016 CU2 and Exchange 2013 CU13 is the inclusion of KB3161916, Data loss may occur during public folder migration to Exchange 2013, Exchange 2016, or Exchange Online.

For a list of fixes in these updates, see below.

Exchange 2016 CU2 fixes:

• KB3171162 You cannot search emails in Outlook or Outlook Web App in an Exchange Server 2016 Cumulative Update 1 environment
• KB3164346 Cannot connect to a mailbox when MAPI over HTTP protocol is used in an on-premises Exchange Server 2016 installation
• KB3163039 Email message body is garbled when Simplified Chinese characters are included on BCC line in an Exchange Server environment
• KB3162968 “Failed to load script” error when you log on to OWA and select a language
• KB3126723 Retention policy doesn’t work on the In-Place Archive mailbox in Exchange Server

Exchange 2013 CU13 fixes:

• KB3164701 Can’t create a new send connector in Exchange Control Panel in Exchange Server 2013
• KB3164700 Write scope in EAC on a role group reverts to default scope in Exchange Server 2013
• KB3164359 Stop error and restart triggered by ServerOneCopyInternalMonitorForceReboot responder in Exchange Server 2013
• KB3163186 “Repair update” message after you send a meeting invitation to a distribution list in Exchange Server 2013
• KB3163173 NDR after you accept or decline a meeting request in Exchange 2013
• KB3163039 Email message body is garbled when Simplified Chinese characters are included on BCC line in an Exchange Server environment
• KB3162964 Items are held unnecessarily in the DiscoveryHold folder in Exchange Server 2013
• KB3162957 “Invalid search filter” error when you use the “UM Mailbox Policy” filter in Exchange Server 2013
• KB3162934 Test-ExchangeSearch cmdlet fails without parameters or with the -MailboxDatabase parameter in Exchange Server 2013
• KB3162933 Outlook client remains disconnected after the mailbox is migrated to Exchange Server 2013
• KB3162772 Accepted or declined messages for a forwarded meeting are sent to the forwarder in Exchange Server 2013
• KB3160935 Public folder forwarding rule doesn’t work after migration to Exchange Server 2013
• KB3150799 IMAP with NTLM fails if a user’s UPN and primary SMTP address don’t match in Exchange Server 2013
• KB3150036 The EdgeTransport process crashes on an Exchange Server 2013 server that has the Edge Server role installed
• KB3149767 “System.FormatException” error is logged in Event Viewer when Exchange Server 2013 runs on a French operating system
• KB3142157 Exchange Server Health Management Worker process restarts frequently in Exchange Server 2013
• KB3140102 OWA application pool crashes with KeyNotFound exception in Exchange Server 2013
• KB3129946 Update to support the AutoReseed feature in a DAG environment that’s BitLocker-enabled in Exchange Server 2013
• KB3126723 Retention policy doesn’t work on the In-Place Archive mailbox in Exchange Server
• KB2661294 Email address policy doesn’t generate addresses of recipients in Exchange Server 2010 or Exchange Server 2013

These Cumulative Updates for Exchange Server 2016 and 2013 as well as the Rollups for Exchange Server 2010 and 2007, fix the security issue described in Security Bulletin MS16-079. The Cumulative Updates for Exchange Server 2016 and 2013 also include DST changes.

Notes:

• Exchange 2016 CU2 includes schema changes (version 15325), and Exchange 2013 CU12 may introduce RBAC changes in your environment. When applicable, make sure you run PrepareSchema /PrepareAD before deploying. To verify this step has been performed, consult the Exchange schema overview.
• Exchange 2016 CU2 introduces activation preference changes for Database Availability Groups. You might want to consider reading the article upfront describing these changes here.
• When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode.
• The Windows Management Framework (WMF)/ PowerShell version 5 is not supported. Don’t install this on your Exchange servers.
• When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
• If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
• Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
• Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
• The order of upgrading servers with Cumulative Updates is irrelevant.
• Rollups are cumulative per service pack level, meaning you can apply the latest Rollup for Service Pack X to a Service Pack X installation.

Finally, as always for any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or TechNet forum for any issues.