Updated: 10 December.
As anticipated, Microsoft released a set of security bulletins on Tuesday, December 10. Among the set, MS13-105 addresses a number of vulnerabilities in Exchange 2007, 2010, and 2013. The following updates have been released:
- Microsoft Exchange Server 2007 Service Pack 3 (RU12 – KB2903911)
- Microsoft Exchange Server 2010 Service Pack 2 (RU8 – KB2903903)
- Microsoft Exchange Server 2010 Service Pack 3 (RU4 – KB2905616)
- Microsoft Exchange Server 2013 Cumulative Update 2 (KB2880833)
- Microsoft Exchange Server 2013 Cumulative Update 3 (KB2880833)
These vulnerabilities are addressed in the updates:
- Delivers an updated Oracle Outside In library that addresses the problem with the DocReady functionality (see this CERT analysis of the vulnerability created for Exchange by Outside In – or another view on the issue here)
- Removes a cross-site scripting (XSS) attack vector in the Outlook Web App (OWA) logo
- Removes a deserialization attack vector by setting EnableViewStateMac in Outlook Web App (useful article here)
The roll-up updates for Exchange 2007 and 2010 contain nothing more than these fixes. As such, they should be much simpler to deploy than a regular roll-up update. However, be sure to test before deploying the code into production environments.
You’ll notice that KB2880833 appears to be the knowledge base article that describes the MS13-105 fixes for both CU2 and CU3. However, the CU2 page leads to download 41487 whilst the CU3 download is number 41526. Applying the updates changes the version number for CU2 to build 712.031 while CU3 goes to 775.041.
Exchange 2013 uses a different servicing model which means that security updates are released separately to cumulative updates. Security updates for Exchange 2013 contain all previous security fixes, so MS13-105 contains the fixes previously provided in the infamous MS13-061 release (August 2013). You can install MS13-105 on top of MS13-061. More details about these updates are available on the EHLO blog.
Naturally, those running Exchange 2003 or earlier versions can ignore the security bulletins because you live in the land of dead software, or software that has ceased to exist in the eyes of Microsoft.
Of course, Exchange doesn’t exist in a vacuum and the other security bulletins released today affect other products such as Windows 8, Windows Server 2012, and Office, so there are lots of updates to be done.
Follow Tony @12Knocksinna