Exchange 2010-2016 Security Fixes

Ex2013 LogoMicrosoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Exchange Updates – December 2016

Ex2013 LogoToday, the Exchange Team released the December updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007.

Changes introduced in Exchange Server 2016 CU4 are an updated OWA composition window, and on Windows Server 2016, KB3206632 needs to be present before CU4 can be deployed. This KB fixes – among other things – the problem with DAG members experiencing crashing IIS application pools. Be advised that the KB3206632 update for Windows Server 2016 is a whopping 1 GB. You can download this update here.

The biggest change for Exchange Server 2013 is support for .NET 4.6.2. Be advised organizations running Exchange 2016 or 2013 on .NET 4.6.1 should start testing with and planning to deploy .NET 4.6.2, as the March updates will require .NET 4.6.2, which is currently still optional.

Both Cumulative Updates introduce an important fix for indexing of Public Folder when they were in the process of being migrated. To ensure proper indexing, it is recommended to move public folder mailboxes to a different database so they will get indexed properly.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU4 15.1.669.32 KB3177106 Download UMLP
Exchange 2013 CU15 15.0.1263.5 KB3197044 Download UMLP
Exchange 2010 SP3 Rollup 16 14.3.339.0 KB3184730 Download
Exchange 2007 SP3 Rollup 22 8.3.502.0 KB3184712 Download
  • KB 3202691 Public folders indexing doesn’t work correctly after you apply latest cumulative updates for Exchange Server
  • KB 3201358 Set-Mailbox and New-Mailbox cmdlets prevent the use of the -Office parameter in Exchange Server 2016
  • KB 3202998 FIX: MSExchangeOWAAppPool application pool consumes memory when it recycles and is marked as unresponsive by Health Manager
  • KB 3208840 Messages for the health mailboxes are stuck in queue on Exchange Server 2016
  • KB 3186620 Mailbox search from Exchange Management Shell fails with invalid sort value in Exchange Server 2016
  • KB 3199270 You can’t restore items to original folders from Recoverable Items folder in Exchange Server 2016
  • KB 3199353 You can’t select the receive connector role when you create a new receive connector in Exchange Server 2016
  • KB 3193138 Update to apply MessageCopyForSentAsEnabled to any type of mailbox in Exchange Server 2016
  • KB 3201350 IMAP “unread” read notifications aren’t suppressed in Exchange Server 2016
  • KB 3209036 FIX: “Logs will not be generated until the problem is corrected” is logged in an Exchange Server 2016 environment
  • KB 3212580 Editing virtual directory URLs by using EAC clears all forms of authentication in Exchange Server 2016

Exchange 2013 CU15 fixes:

  • KB 3198092 Update optimizes how HTML tags in an email message are evaluated in an Exchange Server 2013 environment
  • KB 3189547 FIX: Event ID 4999 for a System.FormatException error is logged in an Exchange Server 2013 environment
  • KB 3198046 FIX: The UM mailbox policy is not honored when UM call answering rules setting is set to False in an Exchange Server 2013 environment
  • KB 3195995 FIX: Event ID 4999 with MSExchangerepl.exe crash in Exchange Server 2013
  • KB 3208886 Send As permission of a linked mailbox is granted to a user in the wrong forest in Exchange Server 2013
  • KB 3188315 Messages are stuck in outbox when additional mailboxes are configured in Outlook on Exchange Server 2013
  • KB 3202691 Public folders indexing doesn’t work correctly after you apply latest cumulative updates for Exchange Server
  • KB 3203039 PostalAddressIndex property isn’t returning the correct value in Exchange Server 2013
  • KB 3198043 Shadow OAB downloads don’t complete in Exchange Server 2013
  • KB 3208885 Microsoft.Exchange.Store.Worker.exe process crashes after mailbox is disabled in Exchange Server 2013
  • KB 3201966 MSExchangeOWAAppPool application pool consumes excessive memory on restart in Exchange Server 2013
  • KB 3209041 FIX: An ActiveSync device becomes unresponsive until the sync process is complete in an Exchange Server environment
  • KB 3209013 FIX: The LegacyDN of a user is displayed incorrectly in the From field in the Sent Items folder on an ActiveSync device
  • KB 3209018 FIX: Results exported through the eDiscovery PST Export Tool never finishes in an Exchange Server environment
  • KB 3199519 Inconsistent search results when email body contains both English and non-English characters in Exchange Server 2013
  • KB 3211326 “ConversionFailedException” error when emails are sent on the hour in Exchange Server 2013

Notes:

  • Exchange 2016 CU4 doesn’t incldue schema changes compared to CU4, however, Exchange 2016 CU4 as well as Exchange 2013 CU15 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
  • Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or TechNet forum for any issues.

Exchange 2010 SP3 RU12 & Exchange 2007 SP3 RU18

Exchange 2010 LogoThe Exchange Team released Rollup 12 for Exchange Server 2010 Service Pack 3 (KB3096066) as well as Rollup 18 for Exchange Server 2007 Service Pack 3 (KB3078672). These update raise version numbers to 14.3.279.2 and 8.3.445.0 respectively.

Apart from a Daylight Savings Time update, documented here, these Rollups contain the following fixes:

Exchange 2010 SP3 Rollup 12:

  • KB 3048372 Exchange Calendar items are shifted incorrectly when some Windows DST updates are applied
  • KB 3096125 CryptographicException error when Edge Transport service crashes in an Exchange Server 2010 environment
  • KB 3097219 Organizer’s name isn’t displayed in the subject of the recurring meeting requests in Exchange Server 2010
  • KB 3106421 Very long URLs in an email message don’t open in OWA in Internet Explorer
  • KB 3115809 Mailboxes can be accessed when the DefaultNetworkCredentials option is selected when you use Exchange Web Services Managed API to connect to Exchange Server

Exchange Server 2007 SP3 Rollup 18:

  • KB 3106421 Very long URLs in an email message don’t open in OWA in Internet Explorer

Notes:

    • If you want to speed up the update process for systems without internet access, follow the procedure described here to disable publisher’s certificate revocation checking.
    • If you got an Exchange 2010 DAG, and want to properly update the DAG members, check the instructions here.
    • As for any Hotfix, Rollup, Service Pack or Cumulative Update, apply this update to a acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a certain period and monitor the comments on the release article or TechNet forum for any issues.

Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you can apply the latest Rollup after installing a fresh installation of RTM or SPx version, for that product level.

You can download Exchange 2010 SP3 Rollup 12 here and Exchange 2007 SP3 Rollup 18 here.

Exchange 2010 SP3 RU10 & Exchange 2007 SP3 RU17

Exchange 2010 LogoThe Exchange Team released Rollup 10 for Exchange Server 2010 Service Pack 3 (KB3049853) as well as Rollup 17 for Exchange Server 2007 Service Pack 3 (KB3056710). These update raises the version numbers to 14.3.248.2 and 8.3.417.1 respectively.

Rollup 10 contains the following fixes for Exchange Server 2010 SP3:

  • KB 3069055 Various DAG maintenance scripts do not work in an Exchange Server 2010 environment
  • KB 3057422 “MapiExceptionNoAccess: Unable to query table rows” error and some mailboxes cannot be moved
  • KB 3056750 Exchange ActiveSync application pool crashes in an Exchange Server 2010 environment
  • KB 3054644 “The item no longer exists” error when you access an archive mailbox in Outlook Web App in Exchange Server 2010
  • KB 3051284 Event ID 4999 is logged and MSExchangeServicesAppPool crashes in an Exchange Server 2010 environment
  • KB 3049596 Event ID 4999 is logged and remote procedure call Client Access service crashes in an Exchange Server 2010 environment
  • KB 2964344 MSExchangeRPC service stops working intermittently in Exchange Server 2010
  • KB 3055764 Exchange Server 2010 Address Book Service crashes with event ID 4999

For Exchange Server 2007 SP3, the Rollup 17 contains the following fix:

  • KB 3057222 “InvaIidOperationException” error and cannot open digitally signed or NDR messages in FIPS-enabled Exchange Server 2007

Notes:

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • If you got an Exchange 2010 DAG, and want to properly update the DAG members, check the instructions here.
  • Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

You can download Exchange 2010 SP3 Rollup 10 here and Exchange 2007 SP3 Rollup 14 here.

Exchange 2010 SP3 Rollup 9

Exchange 2010 LogoToday the Exchange Team released Rollup 9 for Exchange Server 2010 Service Pack 3 (KB3030085). This update raises Exchange 2010 version number to 14.3.235.1.

In addition to DST changes, this Rollup contains the following fixes:

  • 3032153 Recurring events in Calendar over DST are not adjusted on all ActiveSync devices in all Exchange Server environments
  • 3029667 SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2010 environment
  • 3017297 Event ID 3091 is logged and public folder replication fails in an Exchange Server 2010 environment
  • 3011892 Exchange ActiveSync client displays an incorrect email address in an Exchange Server 2010 environment
  • 3004486 A default application pool becomes unresponsive in Exchange Server 2010 that has more than 64 multirole servers

Notes:

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • If you got a DAG and want to properly update the DAG members, check the instructions here.
  • Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.
  • Exchange 2010 is in extended support.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.
You can download Exchange 2010 SP3 Rollup 9 here.

Exchange 2010 SP3 Rollup 8v2

Exchange 2010 Logo

UPDATE (December 12th, 2014): Exchange 2010 SP3 Rollup 8 v2 is released, addressing the issue mentioned below in the initially published version. The new version number is 14.3.224.2 (was 14.3.224.1). You can download RU8v2 here.

UPDATE (December 10th, 2014): Exchange 2010 SP3 Rollup 8 has been pulled after discovery of Outlook MAPI issues. It is currently recommended not to deploy RU8 and when you have installed RU8, to revert to RU7 to prevent walking into this issue. Other protocols, such as EAS or IMAP4, as unaffected which is why you might not encounter this problem immediately.

Today the Exchange Team released Rollup 8 for Exchange Server 2010 Service Pack 3 (KB2986475). This update raises Exchange 2010 version number to 14.3.224.1.

This Rollup contains a security update to fix a potential elevation of privilege issue (bulletin MS14-075), as well as the following fixes:

  • 3004235 Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014
  • 3009132 Hybrid mailbox moves to on-premises environment but finishes with CompletedWithWarnings status
  • 3008999 IRM restrictions are applied to incorrectly formatted .docx, .pptx, or .xlsx files in an Exchange Server 2010 environment
  • 3008370 Group members are not sorted by display name when HAB is used with OAB in Exchange Server 2010
  • 3008308 Public folder database migration issue in a mixed Exchange Server environment
  • 3007794 Hub Transport server cannot deliver messages when a database fails over to a cross-site DAG in Exchange Server 2010
  • 3004521 An Exchange server loses its connection to domain controllers if a public folder server is down in Exchange Server 2010
  • 2999016 Unreadable characters when you import ANSI .pst files of Russian language by using the New-MailboxImportRequest cmdlet
  • 2995148 Changing distribution group takes a long time in an Exchange Server 2010 environment
  • 2992692 Retention policy is not applied to Information Rights Management protected voice mail messages in Exchange Server 2010
  • 2987982 Issues caused by ANSI mode in Exchange Server 2010
  • 2987104 Email message is sent by using the “Send As” instead of “Send on Behalf” permission in Exchange Server 2010
  • 2982017 Incorrect voice mail message duration in Exchange Server 2013 and Exchange Server 2010
  • 2977279 You cannot disable journaling for protected voice mail in Exchange Server 2013 and Exchange Server 2010

Notes:

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • If you got a DAG and want to properly update the DAG members, check the instructions here.
  • Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.
You can download Exchange 2010 SP3 Rollup 8 here.

Exchange 2007 SP3 Rollup 15

exchange2007logo2[1]Today the Exchange Team released Rollup 15 for Exchange Server 2007 Service Pack 3 (KB2996150). This update raises Exchange 2007 version number to 8.3.389.2.

This Rollup contains a security update to fix a potential elevation of privilege issue (bulletin MS14-075), as well as the following fixes:

  • 3004235 Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014
  • 3008308 Public folder database migration issue in a mixed Exchange Server environment

Notes:

  • When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command;
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking;
  • Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.
You can download Exchange 2007 SP3 Rollup 15 here.

Exchange 2010 SP3 Rollup 7

Exchange 2010 LogoToday the Exchange Team released Rollup 7 for Exchange Server 2010 Service Pack 3 (KB2961522). This update raises Exchange 2010 version number to 14.3.210.2.

This Rollup includes the following fixes:

  • 2983261 “HTTP 400 – Bad Request” error when you open a shared mailbox in Outlook Web App in an Exchange Server 2010 environment
  • 2982873 Outlook Web App logon times out in an Exchange Server 2010 environment
  • 2980300 Event 4999 is logged when the World Wide Web publishing service crashes after you install Exchange Server 2010 SP3
  • 2979253 Email messages that contain invalid control characters cannot be retrieved by an EWS-based application
  • 2978645 S/MIME option disappears when you use Outlook Web App in Internet Explorer 11 in an Exchange Server 2010 environment
  • 2977410 Email attachments are not visible in Outlook or other MAPI clients in an Exchange Server 2010 environment
  • 2976887 eDiscovery search fails if an on-premises Exchange Server 2010 mailbox has an Exchange Online archive mailbox
  • 2976322 Assistant stops processing new requests when Events in Queue value exceeds 500 in Exchange Server 2010
  • 2975988 S/MIME certificates with EKU Any Purpose (2.5.29.37.0) are not included in OAB in Exchange Server 2010
  • 2966923 Domain controller is overloaded after you change Active Directory configurations in Exchange Server 2010

Notes:

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • If you got a DAG and want to properly update the DAG members, check the instructions here.
  • Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP3 Rollup 7 here.

Exchange 2007 SP3 Rollup 14

exchange2007logo2[1]Today the Exchange Team released Rollup 14 for Exchange Server 2007 Service Pack 3 (KB2936861). This update raises Exchange 2007 version number to 8.3.379.2.

This Rollup introduces daylight saving times (DST) changes.

Notes:

  • When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command;
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking;
  • Rollups are cumulative per service pack level, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2007 SP3 Rollup 14 here.

Exchange 2010 SP3 Rollup 6

Exchange 2010 LogoToday the Exchange Team released Rollup 6 for Exchange Server 2010 Service Pack 3 (KB2936871). This update raises Exchange 2010 version number to 14.3.195.1.

This Rollup includes the following fixes:

  • 2960652 Organizer name and meeting status field can be changed by EAS clients in an Exchange Server 2010 environment
  • 2957762 “A folder with same name already exists” error when you rename an Outlook folder in an Exchange Server 2010 environment
  • 2952799 Event ID 2084 occurs and Exchange server loses connection to the domain controllers in an Exchange Server 2010 environment
  • 2934091 Event ID 1000 and 7031 when users cannot connect to mailboxes in an Exchange Server 2010 environment
  • 2932402 Cannot move a mailbox after you install Exchange Server 2010 SP3 RU3 (KB2891587)
  • 2931842 EWS cannot identify the attachment in an Exchange Server 2010 environment
  • 2928703 Retention policy is applied unexpectedly to a folder when Outlook rule moves a copy in Exchange Server 2010
  • 2927265 Get-Message cmdlet does not respect the defined write scope in Exchange Server 2010
  • 2925273 Folder views are not updated when you arrange by categories in Outlook after you apply Exchange Server 2010 Service Pack 3 Update Rollup 3 or Update Rollup 4
  • 2924592 Exchange RPC Client Access service freezes when you open an attached file in Outlook Online mode in Exchange Server 2010
  • 2923865 Cannot connect to Exchange Server 2010 when the RPC Client Access service crashes

Notes:

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • If you got a DAG and want to properly update the DAG members, check the instructions here.
  • Rollups are cumulative, i.e. they contain fixes released in earlier update Rollups for the same product level (RTM, SP). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup package.

As with any Hotfix, Rollup or Service Pack, I’d recommend to thoroughly test this rollup in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2010 SP3 Rollup 6 here.