• Call Toll Free: 1-855-909-3300

Microsoft Unveiling Critical Security Release Updates for Exchange Server 2007, 2010, 2013, and 2016

Microsoft Unveiling Critical Security Release Updates for Exchange Server 2007, 2010, 2013, and 2016

Microsoft has launched security bulletin MS16-108 in September 2016, that consists of critical security updates for all presently supported versions of Exchange Server.

Exchange Server

MS16-108 includes updates to patch remote code execution accountability and vulnerabilities in Oracle Outside In libraries that is third party code which Microsoft licensed for use in Exchange. These Oracle libraries have been the reason of several security vulnerabilities in distinguishing versions of Exchange Server over the years.

This security update resolves accountability and vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities might allow remote code execution in some Oracle Outside In libraries that are designed and developed into Exchange Server in case an attacker sends an email with a specially crafted enclosure or attachment to a vulnerable Exchange server.

This security update is rated Crucial for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016. To have more information, refer to the Affected Software and Vulnerability Severity Ratings section.

The security update addresses and handles the vulnerabilities by correcting how Microsoft Exchange:

  • Parses some unstructured file formats.
  • Handles or manages open redirect requests.
  • Handles and manages Microsoft Outlook meeting invitation requests.

Updates are made available for:

  • Exchange Server 2007 Service Pack 3 (this update is also known as Update Rollup 21)
  • Exchange Server 2010 Service Pack 3 (this update is also known as Update Rollup 15)
  • Exchange Server 2013 Service Pack 1 (though this version is still backed up and supported and received revisions on security updates, it is more than two years old, therefore, it is recommended that do not continue running this build in production)
  • Exchange Server 2013 CU12
  • Exchange Server 2013 CU13
  • Exchange Server 2016 CU1
  • Exchange Server 2016 CU2

In case you are running any earlier versions of Exchange not mentioned above, then you must consider them at risk for this vulnerability.

The timing of these patch releases is such that the next consecutive cumulative updates for Exchange 2013 and 2016 might be released any day now. The security updates mentioned above will be included in the next coming cumulative updates. Irrespective of the anticipated timing of the CU releases, you must begin your testing and planning to implement the standalone security updates now, considering they are crucial updates. As no details of Exchange 2013 CU14 or Exchange 2016 CU3 have been publicly declared, it’s possible they might contain other functional amendments that you need more time to test and verify without delaying these critical security updates.

Reason of Microsoft issuing a security update for vulnerabilities that are in third-party code, Oracle Outside In libraries

Microsoft licenses a custom deployment of the Oracle Outside In libraries, particular to the product in which the third-party code is mainly used. Microsoft is releasing this security update to ensure that all clients and customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities. For more information about these vulnerabilities, see Oracle Critical Patch Update Advisory – July 2016.

Leave a Reply

Techarex NetWorks Products