Exchange 2010-2016 Security Fixes

Posted on July 11, 2017 by Michel de Rooij

Microsoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

Exchange 2010 SP3
Rollup 18 For Exchange 2010 SP3 (KB4018588), v14.3.361.1
Exchange 2013 SP1
Security Update For Exchange Server 2013 SP1 (KB4018588), v15.0.847.55
Exchange 2013 CU16
Security Update For Exchange Server 2013 CU16 (KB4018588), v15.0.1293.4
Exchange 2016 CU5
Security Update For Exchange Server 2016 CU5 (KB4018588), v15.1.845.36

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Book: Pro Exchange 2013 SP1 PowerShell Administration

Posted on December 20, 2014 by Michel de Rooij

As some of you may have noticed, it has been a bit more quiet here than it used to be. Well, the reason for that, after several months of collaborative hard work, blood, sweat and tears, is finally here (and in stores just in time for the Holidays): A book titled Pro Exchange 2013 Service Pack 1 PowerShell Administration!

Together with fellow Exchange MVP Jaap Wesselius, we will talk you through topics such as:

Deployment and co-existence scenarios.
The Client Access Server role and topics such as namespaces, certificates, load balancing, and publishing.
The Mailbox Server role and topics such as managing mailboxes, distribution lists and recipients, message transport
High availability topics like Database Availability Groups and Client Access and Transport availability.
Message Hygiene using the Edge Transport server role and anti-spam features.
Backup, Restore and Disaster Recovery, including the backup-less’ Native Data Protection scenario.
Unified Messaging features and integration with IP telephony solutions such as Microsoft Lync Server.
Compliance features like In-Place Archiving and MRM, In-Place Discovery, In-Place Hold, Data Loss Prevention including fingerprinting, and auditing.
Role-Based Access Control model and Split Permissions model for organizations that require this.
Office 365 and Exchange Online (EXO) scenarios, federating organizations, directory synchronization, ADFS and Multi-Factor Authentication, as well as basic tasks like onboarding and offboarding mailboxes.

Our 600+ page book will take a PowerShell-first approach when talking about Exchange Server 2013. You can order the book from Amazon here.

I have also added it to the book page here, which also contains other useful books when you want to learn about Exchange or related technologies like PowerShell, Active Directory or Lync Server.

Exchange 2013 SP1 Transport Agent Fix (updated)

Posted on March 5, 2014 by Michel de Rooij

After installing Exchange 2013 Service Pack 1, people reported issues with Transport Agents. Symptoms are that the Transport service doesn’t start or stops shortly after starting the service or you can’t install the 3rd party product.

Products experiencing the issue are TrendMicro ScanMail, McAfee Email Security (GroupShield), Symantec Mail Security for Exchange, AVG for Servers, ESET Mail Security for Exchange and CodeTwo Exchange Rules. Products from other vendors may be affected as well.

Microsoft is aware of this issue and has published KB2938053 which has a small Exchange2013-KB2938053-FixIt.zip script to fix the issue.

The cause of the issue lies in XML files containing invalid XML markup in the form of “comments” which prevents .NET from loading the XML files, e.g.

<!-- 15.0.847.30 -------------------------------->

The two files containing the invalid XML markup are:

$Env:Windir\Microsoft.NET\assembly\GAC_MSIL\policy.8.0.Microsoft.Exchange.Data.Common\v4.0_15.0.847.30__31bf3856ad364e35\Microsoft.Exchange.Data.Common.VersionPolicy.cfg
$Env:Windir\Microsoft.NET\assembly\GAC_MSIL\policy.8.0.Microsoft.Exchange.Data.Transport\v4.0_15.0.847.30__31bf3856ad364e35\Microsoft.Exchange.Data.Transport.VersionPolicy.cfg

Be advised that the script supplied in the KB article tries to locate and fix various alternate versions of those files. Something you might want to consider as well when fixing it manually, should you be unable to locate the specific files mentioned above.

After running the script you should be able to start the Transport service or install 3rd party containing transport agents..

Update (3/5): Updated blog after official KB article got published. The issue was also blogged on by fellows Jason Sherry, Paul Cunningham while Tony Redmond has additionanal background details here.

Exchange 2013 Service Pack 1

Posted on February 25, 2014 by Michel de Rooij

The long awaited Service Pack 1 for Exchange Server 2013 was released today by the Exchange Team (KB2926248). This update raises Exchange 2013 version number to 15.0.847.32.

Service Pack 1 introduces the following changes or enhancements:

Support for running Exchange Server 2013 SP1 on Windows Server 2012 R2.
Support for Windows Server 2012 R2 Domain Controllers and Windows Server 2012 R2 Forest and Domain Functional Level.
MAPI over HTTP. More information on MAPI over HTTP here. Note that MAPI over HTTP requires Outlook 2013 SP1; you can download Office 2013 SP1 32-bit version here and the 64-bit version here.
DLP policy tips for OWA.
Add custom document types to DLP using fingerprinting technologies.
Cmdlet logging in Exchange Administrative Console.
Support for IP-less DAGs (on Windows Server 2012 R2).
S/MIME support.
Rich-Text editor for OWA.
Edge Transport server role.
Support for SSL Offloading.

Service Pack 1 includes the following fixes:

2860242 HTML format is lost after saving as an MSG file in Exchange 2013
2900076 Mailbox quota warning message uses an incorrect language in Exchange Server 2013
2910199 “Reply all by IM” chat window displays seven recipients in Outlook Web App
2913999 Meeting request body and instructions are lost in delegate’s auto-forwarded meeting request
2918655 Microsoft.Exchange.Servicehost.exe crashes after you enable FIPS
2918951 Users cannot access public folders after you upgrade to Exchange Server 2013 Cumulative Update 3
2925281 Outlook connectivity issue if SSLOffloading is “True” in Exchange 2013
2925544 Empty ExternalURL value for ActiveSync virtual directory after build-to-build upgrade of Exchange Server 2013
2927708 Resource mailboxes that are created by EAC will not be updated by policies in Exchange Server 2013
2928748 Default from delegate’s address in shared mailboxes in Exchange Server 2013
2928803 Long server connection for Outlook after a database failover in Exchange Server 2013
2930346 POP3 access does not work if the name of the resource mailbox differs from the user’s name
2930348 Manual redirection occurs in Outlook Web App if External URLs in each site are the same
2930352 Outlook Web App cross-site silent redirection does not work in Exchange Server 2013

Cumulative Updates and Service Packs includes schema and AD changes, so make sure you run PrepareSchema /PrepareAD. After updating, the schema version will be 15292.

Note that Service Packs and Cumulative Updates can be installed directly, i.e. no need to install RTM prior to Cumulative Updates or Service Packs. Note that once applied, you can’t uninstall a Cumulative Update or Service Pack nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous Exchange generations.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

Also check with any 3rd party products you may use – there are reports of compatibility issues with 3rd party transport agents by Exclaimer, Trendmicro (other AV solutions possibly as well) and CodeTwo. The cause of the Transport service failing to start or problems with installing 3rd party transport agents has been identified. A workaround can be found here.

You can download Exchange 2013 Service Pack 1 here. The Exchange 2013 SP1 UM Language Packs can be found here. More details about these changes, preparing Active Directory or installing this Cumulative Update can be found in the original announcement here.

So long RPC/HTTP, Hello MAPI/HTTP

Posted on January 22, 2014 by Michel de Rooij

Microsoft published three sessions from the Redmond Interoperability Protocols Plugfest 2013 on Channel 9 on the protocol MAPI over HTTP or MAPI/HTTP which looks scheduled to arrive with Exchange 2013 Service Pack 1.

This protocol is set to (over time!) replace the RPC/HTTP protocol we all know. RPC/HTTP, or Outlook Anywhere, is used by Outlook to communicate with Exchange Server and is most often seen with clients working remotely. With Exchange Server 2013, support for MAPI was dropped and RPC/HTTP became the only protocol. With Exchange 2013 SP1 it seems we will receive an alternative which is set to replace RPC/HTTTP, MAPI/HTTP.

Of course, the information is preliminary and subject to change as Exchange 2013 SP1 hasn’t been released yet, but it won’t harm to get familiar with the planned changes. It also remains to be seen how quick organizations will adopt this new protocol, which I’m pretty sure we will soon see getting supported by Office 365.

MapiHttp in Exchange 2013 SP1
Joe Warren, Principal SDE at Microsoft delivering a presentation covering the Exchange 2013 MapiHttp protocol implementation in Exchange 2013 SP1. Topics: What is MAPI-HTTP?, Why do MAPI-HTTP?, Goal of MAPI-HTTP, Why not rebuild with EWS?, Existing RPC-HTTP, New MAPI-HTTP, What does a MAPI-HTTP request look like?, What does a MAPI-HTTP response look like?, Session Context, Request Types, Sequencing & Protocol Failures. Click here.

Outlook 2013 Client Protocols
Shri Vidhya Alagesan, SDE at Microsoft presenting on Outlook 2013 Client Protocols from a client’s perspective. Topics: Client side view of Outlook-Exchange MAPI-HTTP protocol using WinHTTP, Error Handling & RPC Vs. MAPI-HTTP with sub-topics of Architecture Overview, Outlook & WinHttp, Cookies, Connection Status Dialog, Timeout, Pause/Resume & Protocol Switching. Click here.

Exchange 2013 Protocols
Andrew Davidoff, Senior Software Developer Engineer in Test at Microsoft presenting on the Exchange 2013 protocol families and important protocol updates for Exchange 2013. Click here.

Apart from these sessions on protocol change announced for Exchange Server 2013 SP1, Microsoft also published some other interesting Exchange-related sessions:

Exchange 2013 Web Services Overview
Harvey Rook, Principal Development Lead, and Naveen Chand, Senior Program Manager Lead, deliver a presentation on Exchange Web Services best practices. Click here.

Exchange RPC and EWS Protocol Test Suites
Jigar Mehta, Software Development Engineer in Test provides an in depth overview of the test suite packages for the Exchange RPC and Exchange Web Services protocols. Click here.

Exchange 2010 SP1 Rollup 8

Posted on December 12, 2012 by Michel de Rooij

Besides the updated Rollup 5 for Exchange Server 2010 SP2, the Exchange team also released the following Rollups:

Exchange 2007 SP3 RU9 (version 8.3.297.2)
Exchange 2010 SP1 RU8 (version 14.1.438.0)

The rollups addresses vulnerabilities described in MS12-080. In addition, Rollup 9 for Exchange Server 2007 SP3 contains a fix for the EdgeTransport.exe process which could crash when processes a single occurrence of a recurring meeting (KB2748658).

The Exchange Versions, builds & dates page has been updated accordingly, including updated product version numbers.

Rereleases of Exchange 2010 SP1 RU8 and 2007 SP3 RU7

Posted on November 15, 2012 by Michel de Rooij

Besides Rollup 5 for Exchange Server 2010 SP2, the Exchange team also released updates of the following Rollups:

The KB article reads that, “This update resolves an issue in which the digital signature on files that are produced and signed by Microsoft expires prematurely as described in Microsoft Security Advisory 2749655.” However, that should have already been fixed already in the v2 updates (refer to the same Security Advisory).

The Exchange Versions, builds & dates page has been updated accordingly, including updated product version numbers.

With all this subversioning of rereleases, one may wonder why they didn’t release Rollup 5 for Exchange as Rollup 4 v3, which perhaps would be less confusing.

Rereleases of latest Exchange 2010 and 2007 Rollups

Posted on October 9, 2012 by Michel de Rooij

The Exchange team rereleased the following Rollups:

Exchange 2007 SP3 RU8 v2
Exchange 2010 SP1 RU7 v2
Exchange 2010 SP2 RU4 v2, including fix for KB2756987

These v2 updates solve an issue with a prematurely expiring certificate used to sign the update (see KB2749655), i.e. no code changes (apart from KB2756987).

The Exchange Versions, builds & dates page has been updated accordingly, including updated product version numbers.

Exchange 2010 SP1 Rollup 7

Posted on August 16, 2012 by Michel de Rooij

The Exchange Team silently released RU7 for Exchange Server 2010 Service Pack 1 (KB2743248). This update raises Exchange 2010 version number to 14.1.421.0.

This Rollup only includes the fix for the WebReady security issue described in Microsoft Security Bulletin MS12-058 (KB2740358).

Note that update rollups are cumulative, i.e. they contain fixes released in earlier update rollups for the same product level (RTM, SPx). This means you don’t need to install previous update rollups during a fresh installation but can start with the latest rollup available right away.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production. For the correct procedure on how to update DAG members, check here.

You can download Exchange 2010 SP1 Rollup 7 here.