MS07-026: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)


An Exchange Server related security bulletin was released yesterday. Here are some details; please go and get the patches that apply to your Exchange version!

Issued: May 08, 2007

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces two prior security updates. See the Frequently Asked Questions (FAQ) section of the bulletin for details.

Affected Software:

  • Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007

Please go here for more information and links to get the updates!

Additionally, you can read about all patches released yesterday on the Microsoft Security Response Center (MSRC) blog.

EDIT: One additional note about those fixes for Exchange 2000 and 2003. Please be aware that those fixes include the "Send As" behavior change as discussed in this KB article. Functionality of your 3rd party applications might be affected. Please make sure to check the article 912918!

- Nino Bilic

Comments (53)
  1. Chris LaMont Mankowski says:

    Not only is there a change in send as permissions, but store.exe now delivers mail to disabled recipients instead of NDR’ing them

  2. lei says:

    This update will helpful for my issue? Recently the application log on our Exchange Server showing MSExchangeTransport error, such as," The client at "81.252.105.92" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". And our information store was unmounted randomly with error event ID 482 of ESE, Information Store (4608) First Storage Group: An attempt to write to the file "D:Exch_logsE00tmp.log" at offset 3145728 (0x0000000000300000) for 1048576 (0x00100000) bytes failed after 0 seconds with system error 1 (0x00000001): …

  3. vincent says:

    Lei: Please don’t put support issues into blog comments. Short answer: No. Open-up support a ticket, or run ExBPA/ExTRA.

  4. bday says:

    Is there ever going to be a way to apply Exchange updates through WSUS to Exchange clusters? Its no fun having to log on manually, stop the cluster service, apply the update, restart the cluster service. Then have to do it all over again on the other node. :)

  5. Robert says:

    Is Chris’s comment above regarding the change in behavior accurate? Is there documentation on these changes? I posed the question during the security bulletin call on Wed about whether there were any behavior changes in this patch and they said no, it was just a security hotfix, but did contain previous changes to store.exe like the Send As behavior change. It’d be nice to know about these changes before we deploy. Thanks.

  6. kgreene@pathfind.org says:

    There is a major problem with this update.

    After applying it, some mail in the local delivery queue could not be delivered.

    If you are having mail pile up in this queue, uninstall this update to restore mail flow. However, in doing so, you will have to uninstall at least one and up to 2 other OS critical updates: KB931768 and KB935966.

    I do not believe MS Exchange engineering team is working on this problem (I have opened a ticket in Banglalore, but I’m not certain the folks in India are fully aware of the implications of this problem.)

    A search of the internet leads me to believe that this is affecting many organizations.

  7. tony says:

    There is a strange exchange behavior after this patch is applied.  I have some user unable to open their email from outlook.  If they go into OWA 2003, they are able to see it.  Some user can’t move email from outlook to  

    their archive pst.  I uninstalled the patch

  8. Martin K says:

    I had problems with Blackberry Enterprise server 4.1.3 and uninstalled the patch.

  9. kgreene@pathfind.org says:

    I wonder if anyone is monitoring the comments. If so, I wonder why the blogmeisters haven’t addressed the obvious problems with this patch.

    The problem is that the patch introduces an issue with SMTP mail using non-English character sets. All such mail will remain stuck in the "local delivery queue."

    Is anyone at Microsoft "on" this problem???

  10. Marcia Sprey says:

    martin k,  what kind of problems did you have with the Bes v4.1.3?  Has anyone tested this patch on a 4.0 Blackberry server?

  11. bday says:

    Ok. After reading these comments through again I am holding off applying this to our entire org until some of these issues are addressed.

  12. Exchange says:

    martin k,

    Were the problems you had with BES related to this?

    http://support.microsoft.com/kb/912918

  13. ketandp says:

    Hey KGreen!!

    The support staff is well aware of the issues faced in certain situations and they also know how to go ahead with the workaround untll the solution is provided.

    I’m sure that the fix is going to be available in another couple of days or it can be anytime today.

    The issue that you have explained is very specific to certain messaging environment (that involves legacy exchange servers or non-exchange messaging servers) and specific message format that is a rare situation.

  14. Adam Shattuck says:

    We’re having this same issue with mail stuck in the queue after applying the patch as well as a seemingly related additional issue … when you try to OPEN an saved e-mail received from a sender who is now being queued, Outlook displays the message "Can’t Open This Item"

    I wanted to see if anyone else was having this same issue. We currently have a 5.5 server running IMS, delivering mail to a few 2003 servers.

    Also, is there an order in which you should uninstall the Exchange patch and the related OS patches (KB931768 and KB935966)?

    Will be working late tonight!

  15. james says:

    We had problems with this patch in that our mailstores would not mount upon reboot.  We have to manually bring them online.  Not good!

  16. Adam Shattuck says:

    FYI … I just removed the patches (OS 931768 and exchange 931832) and now the e-mails are opening fine. So it appears the issue with e-mails not opening is also related.

    ExchangeTeam: is MS planning on producing a publically available fix for this? Since it seems to be 5.5 related, I am guessing probably not.

    thanks!

  17. Exchange says:

    To address some concerns about the hotfix, we have some news.

    If you are experiencing the issue with opening emails and email sticking in queues, if related to application of fixes as described by this blog post, here is what you can do:

    If you are on Exchange 2003 SP2, you can call support services and ask for a hotfix referenced in KB article 934450; this article is not even published yet (we are working on it) – but the hotfix is available from our support organization at this time.

    If you are on Exchange 2003 SP1 and need a post SP1 hotfix for this issue, we do not have that fix ready yet. At this time I do not have the exact information as to when it will be ready, other than it is being worked on.

    Other than that – the removal of Exchange hotfix that caused this problem will resolve the issue too, as many of you have already posted about.

  18. Andy Grogan says:

    Hiya, reviewing the information for the patch I noticed that it replaces the Store.exe, does this also mean that the Databases will be patched to the new version (I kinda suspect they will).

    Cheers

    Andy

  19. Exchange says:

    Andy,

    If you are asking if you will be able to roll back the patch if needed – then the answer is yes. You can uninstall this hotfix and the previous version of Store will be able to mount the databases.

  20. bday says:

    Do you know if 934450 will supercede 931832 and be available through WSUS, or will it have to be applied seperately. I’d rather wait and apply 934450 once if it supercedes 931932 if possible. :)

  21. ChrisMankowski says:

    Robert: The change in behavior is documented here: http://support.microsoft.com/kb/903158 … but chances are you are already have the changes if you applied the Timezone update… which also includes a copy of store.exe

    I opened a case with Microsoft that verified that 926666 includes the update 903158.  Below is the workaround that they sent me:

    Step 1 Create a dummy account:

    =======================

    1). Please create a dummy account (e.g. names it dummyaccount) through Active Directory Users and Computers (ADUC).

    2). Make it mail enabled.

    Step 2 Set the Delivery restriction:

    =======================

    1). Open Active Directory Users and Computers (ADUC).

    2). Right click the user object and select properties.

    3). Select Exchange General tab; click Delivery Restriction button.

    4). On the Delivery Restrictions property window, select Only From under Message Restrictions and add the dummy account to the list.

    5). Click OK.

    6). Wait a while for DC replication.

    I just wish this functionality could be disabled/enabled via the registry.

  22. Adam Shattuck says:

    MsExchangeTeam: Any update on when you expect this new patch to be relased publicly? Removing KB 931832 requires removing KB 931768, which, when trying to remove, tells me a slew of other updates may not function properly if 931768 is removed. I would rather not remove them all if the fix is going to be released soon enough, but my users are about to erupt if something isn’t done.

    TIA and I really appreciate the open and somewhat candid line of communication established with this Blog.

  23. Adam Shattuck says:

    p.s. I should add that I have contacted support (via e-mail and phone). The person I spoke to had no knowledge of the patch and said I would have to buy a specialized support plan for an EOL product (5.5.).

  24. ketandp says:

    @Adam – I’d suggest you contact support and ask them to verify whether you are experiancing the same issue we have been discussing. If so, they will definately be able to provide you with the fix. The KB however is not been published and should be public soon.

    Please do not try to involve Exchange 5.5 IMS here when you report the issue. They may need extended support to assist you further. You can simply refer to these two KB articles (931832 & 934450) and let them know that the affected environment is Exchange 2003 SP2. They shoud route you to the appropriate team and support team should be able to verify the issue you are experiancing before sending this fix to you.

  25. Adam Shattuck says:

    I got it, and I can _confirm_ 934450 WORKS. Users are able to open emails that they previously could not, and e-mails that were queued are now being delivered. Again, this is an environment with an Exchange 5.5 IMS and several internal 2003 servers.

    THANK YOU!

  26. ketandp says:

    I’m glad that your problem is fixed now. Yes, as you mentioned some of the emails(not all) thru exchange 5.5 IMS delivered to the server with this new store version (7652.24 – for E2K3SP2) are affected. Calling support with the correct information would always be a good idea.

    Moving mailboxes with affected emails (where users are not able to open emails) should be avoided. once the fix is applied, mailboxes can be moved off the store.

  27. Exchange says:

    bday,

    934450 will NOT supercede 931832. It will have to applied separately. Also please note – this fix wis not required for everyone applying 931832 in the first place. If you experience problems as discussed here, then please call our support line to get the fix!

  28. Exchange says:

    Adam,

    At this time we do not plan to release the new fix publicly. Seeing that it does not apply to every environment, there is no need to "blanket apply" it to all servers that get the original security update.

    Again, if problems are experienced, our support staff can get you the fix. For post SP1 fix, please stay tuned…

  29. bday says:

    [quote]

    934450 will NOT supercede 931832. It will have to applied separately. Also please note – this fix wis not required for everyone applying 931832 in the first place. If you experience problems as discussed here, then please call our support line to get the fix!

    [/quote]

    Ok thanks. My only problem is that I cannot afford to apply 931832 and then have this maybe happen. I may just download the 2nd hot fix from the premier site and apply it at the same time.

  30. onurt says:

    There really is a problem with this. We have 20 Pc’s accessing Exchange via a seperate workgroup and none of the were able to access after the patch. I had to rollup, now everything is ok.

  31. Exchange says:

    OnurT,

    I am not 100% sure I understand in which way your client are accessing the mailboxes, however – if they are accessing them by the means of "Send As" permissions, then please see the following:

    http://support.microsoft.com/kb/912918

  32. Exchange says:

    Okay just to follow up on this:

    We have now built the post SP1 fix for this problem too. If you need it, please call our support line and ask for the fix discussed in KB 935728.

    I think we are going to consolidate all of this information into a separate blog post either later today or on Monday.

  33. Qaiser says:

    After installing KB931832 complaints came in for Outlook users unable to send emails, emails queing up with public folders unmounted. we rolled back and uninstalled the patch, after that outlook users were able to send emails and queues were not piling up however public folders are still unmount and because of that public folders and free/busy calender is also making problems. we have logged a call with Microsoft and trying to resolve it since last three days but still public folders are unmount. we have recveived the patch KB934450 and applied it but still no progress. if any one of you facing same sort of issue ans is able to resolve it please do let me know.

  34. NotAgain says:

    Ok, it’s officially been two weeks and I still don’t have a definate answer on what it going on with this patch fix.  Will 934450 work or not?  If so, how much longer is it going to take for Microsoft to fix this issue and roll out the patch for the patch?  Between the "Send As" permission, mail stores not mounting on reboot, e-mail not opening, and e-mail getting stuck in queue……are there any other reported issues with 931832 that I need to prepare for?  I am running Exchange 2003 SP2.

  35. Dave says:

    Do we have a date for the 934450 article to be released? I’d like as much information as possible from Microsoft so I can assess the risk as opposed to finding all this information from Microsoft’s customers.

    In what exact cases will 934450 need to be applied? How can we test if 934450 will need to be applied before-hand or after? Will there be a second version to the 931832 patch?

  36. SnoBoy says:

    Does the 934450 hot fix problems like: very slow connectivity – e.g: I had a simple send/recieve never complete – it just kept increasing the time to completion? Others are reporting Outlook losing connection entirely, then magically getting it back. We have had users with strange connectivity issues and in one case Outlook took 99% of the CPU cycles – all of this after the patch went on. BTW: we are Exchange 2003 native mode – front-end/back-end configuration. If so, I will get on the phone!

  37. Nomadic1 says:

    The hot fix information can be read about at this location.

    http://support.microsoft.com/kb/934450

    Also, the hot fix is available through premier support services.

    Nomadic1

  38. cjl says:

    Thanks for the link to the article. I’m curious, where does the tracelog get generated?  

  39. Arian van der Pijl says:

    I had to remove this update because of corrupted incoming attachments +- > 2 MB. (Exchange 2003 SP2).

    I had to convince a NL Microsoft guy by installing and de-installing this particular hotfix.

    Microsoft guy told me he eventually will escalate this issue if tomorrow (after removing update) all incoming attachments are ok.

  40. NotAgain says:

    Arian….is that the 931832 patch you are referring to or the 934450?  I am still waiting to deploy this in my company due to the problems its causing.  This is rediculous.

  41. Arian van der Pijl says:

    Yes, after installing kb931832 (Sp2) I got incoming attachment file corruption larger than approx. 2MB.

    Removing this update solved the problem (on my configuration setup) with the same attachments resent to our organisation.

    Microsoft tech sent me ‘Exchange2003-KB937625-x86.exe’ to install after re-applying kb931832.

    Unfortunately he cannot disclose any information of this fix (binaries are dated 06-06-2007)

    Maybe the MS-Exchange Team can give some information about KB937625 ????? *smiles*.

  42. Arian van der Pijl says:

    OK, reinstalled KB931832;

    KB931832 contains, amongs others, exmime.dll 6.5.7652.24

    Then installed the hotfix;

    ‘Exchange2003-KB937625-x86.exe’ updates only exmime.dll;

    exmime.dll 6.5.7653.4

    Now attachments come in 100% so for me the hotfix worked (tested with less than 10 attachments though).

    Still wandering what KB937625 fixes above KB931832, still no (public) KB article.

  43. Guido Leenders says:

    KB931832 was automatically applied to our server, and all four Windows Mobile 5 devices stopped syncing in 90% of the tries right away. Two is MDA-I, one is MDA-II and one is MDA-3. So it is not a specific BlackBerry problem.

    As a workaround, we are now syncing every 5 minutes so you get your mail at least once a day.

    Reversing the patch was not possible, since we first tried to install W2K3 SP2. Obviously this one removes the uninstall folder.

    We did find the kb931832.log however.

    Since this is the second time this year that a patch caused our SBS server to give production problems, we have disabled automatic applying of patches.

    Any hints from any one on how to get Windows Mobile 5 going again?

  44. frenchpanpan says:

    We also meet some issue after applying hotfix 931832:

    – messages stay in queue on our Exchange 2003 MTA servers (cluster) (problem with conversion from X400 to SMTP?)

    – some messages or attachments are unopenable

    – encoding issue with mail from applications (accentuated characters, attachment without extension)

    – global ‘Send As’ permission removed for some service account like Blackberry (fixed like explained on Microsoft article)

    Architecture:

    – half part of our servers are on Exchange 2003 SP2 (mixed mode) (clustered or member server), the remaining on Exchange 5.5 SP4 (member server)

    – SMTP in/out organization passed through Sendmail (Red Hat), connected to Exchange 2003 connector server (in place of the Exchange 5.5 one to avoid maximum of X400-SMTP conversion)

    We will contact our Microsoft support about hotfix 934450, hope this will help a little.

  45. frenchpanpan says:

    We have receive the hotfix KB934450 from our Microsoft support.

    It have been installed on one of our server with success:

    – Messages or attachments which were unopenable until now are working today,

    – Messages locked in retry mode on our local delivrery queue are now delivrered correctly.

    Now, we planned to install the hotfix on all of our Exchange 2003 servers.

  46. frenchpanpan says:

    We have receive the hotfix KB934450 from our Microsoft support.

    It have been installed on one of our server with success:

    – Messages or attachments which were unopenable until now are working today,

    – Messages locked in retry mode on our local delivrery queue are now delivrered correctly.

    Now, we planned to install the hotfix on all of our Exchange 2003 servers.

  47. Peder Pedersen says:

    Have installed KB931832 (MS07-026) on our Exchange 2003 SP2

    On newly installed servers are we not installing KB92666, MS06-019 & MS06-029 because they are replaced acording to MS07-026

    But SMS 2003 and Microsoft Update says that KB92666 (DST), KB912442 = MS06-029 and KB916803 = MS06-019 are missing. Why ?

    Problems in the CAB file for MS Update / SMS 2003 ?

  48. Scott says:

    Trying to install kb931832 and it just hangs.  Using SBS 2003 and it stops at about 30% or so and just hangs, no errors or messages or other processes going.  Have stopped the install, rebooted and tried again with the same results.  Can anyone give me a suggestion here?

  49. chisro says:

    did you try stopping the services for exchange? When I tried to install the fix(which I took off this AM) it stated that there were some services running that needed to be stopped.

    I had the same "cant open this item" and mail stuck in queues as stated above. I am going to wait for a few weeks and see how this new fix works before applying the 931832 and the subsequent fix.

    Has anyone had any issues with the 934450?

  50. frenchpanpan says:

    @chisro:

    We have installed 934450 on all servers and no more ‘can’t open’ or mail stuck now.

    I will say we haven’t issue with this kb.

    Since two week, one of our Public folder database is corrupted (system hierarchy not uptodate, error when viewing replication status, Free/Busy information unaccurate, …).

    This appear few day after installing the fix but I’m not sure it is related to (only one database impacted).

  51. DNB says:

    931832 includes exosal.dll which is one file also in KB 916783 – (disabled user account and 9548 errors in the event log).  Should 931832 change the Exchange server to behave as if 916783 is installed, even if it is not??   (ie is the optional 916783 now no longer optional because it is in 931832?

    We did have 916783 installed but later decided we wanted it removed. and I have been able to desired behavour by eventually returning exosal.dll to the original exchange version! (Unistalls didn’t do this!)  But 931832 puts a version of exosal.dll greater than 916783 and we again have the problem of mail delivering to disabled accounts.

  52. DNB says:

    I think I have answered my own query.  I had a front end server that never had 916783 and the 931832 hotfix definitely does change the behaviour for disabled accounts.  This is a real pain for us as we have a custom developed Identity management system that automatically disables accounts.  Now we have to develop a new process to stop email delivery.  It is annoying that this embedded functionality change in the security hotfix wasn’t better advertised jsut like the "Send As" change was alerted to.

  53. ksy888 says:

    Soon after we installed the 931832 patch, we also experienced mail

    flow issues where messages would not be delivered and were being

    held in the local delivery queue. Installing patch 934450 did

    resolve this problem, however we now have a different mail flow

    issue whereby emails are intermittently being delivered to the journal mailbox and not to the intended recipient. When this happens we have 2 entries from the smtp store driver delivering to our journal mailbox when viewing the  message in message tracking centre. We’d expect to see only 1 entry for the journal mailbox and 1 entry for the recipient mailbox from the smtp store driver.

    Has anyone experienced the same problem with patch 934450?

    Our store.exe version is currently 6.5.7653.2. Is there a patch / hotfix which supercedes 934450?

Comments are closed.

Skip to main content