Microsoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.
More information is contained in the following Common Vulnerabilities and Exposures articles:
- CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
- CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
- CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability
Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:
- Exchange 2010 SP3
Rollup 18 For Exchange 2010 SP3 (KB4018588), v14.3.361.1
- Exchange 2013 SP1
Security Update For Exchange Server 2013 SP1 (KB4018588), v15.0.847.55
- Exchange 2013 CU16
Security Update For Exchange Server 2013 CU16 (KB4018588), v15.0.1293.4
- Exchange 2016 CU5
Security Update For Exchange Server 2016 CU5 (KB4018588), v15.1.845.36
As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.
The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.