Microsoft Security Bulletin MS10-024 released


We have released security updates for the following versions of Exchange:

  • Security Update for Exchange 2000 Server (KB976703)
  • Security Update for Exchange Server 2003 Service Pack 2 (KB976702)
  • Update Rollup 10 for Exchange Server 2007 Service Pack 1 (KB981407)
  • Update Rollup 4 for Exchange Server 2007 Service Pack 2 (KB981383)
  • Update Rollup 3 for Exchange Server 2010 (KB981401)

Security related changes for Exchange 2007 and Exchange 2010 ship as Update rollups following the cumulative servicing model. However we have tried to keep the number of non-security related changes in these rollups down to a minimum.

More information can be found in the security bulletin at Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)

- The Exchange Team

Comments (29)
  1. Frank T says:

    So is this basically only relevant to the Hub and Edge Transport roles?

  2. Warren says:

    We found that the windows update version of update rollup 4 was offered to our CCR clusters – traditionally this is not the case – update rollups need installing seperate from windows update to CCR nodes.

    Is this a policy change with this update or is there something not right with our setup? I guess there is a first time for everything!

    Warren

  3. Asken says:

    Have I install earlier rollups before install this one?

  4. Joe says:

    What about Forefront in the process of updating the servers?

  5. Jason says:

    The Bullitin says the following for Ex2007 and 2010:

    I am running Exchange 2007 or Exchange 2010. Why am I being offered an update if they are not affected by the vulnerabilities described in this bulletin?

    The updates for Microsoft Exchange 2007 and Microsoft Exchange 2010 only include the defense-in-depth change that adds additional source port entropy to DNS transactions initiated by the SMTP service.

    What the heck does this mean?

  6. Burch says:

    Can you explain how this work for Exchange 2003, does one need the Exchange 2003 patch (976702) AND the Windows SMTP patch (976323) since Ex2003 uses Windows 2003’s SMTP?

  7. RobertW says:

    There is a bug in the RU for Exchange 2007 (since SP2 RU1). After the installation customers with german language will not be able to open the toolbox because of a translation of some regkeys that should not be translated.

    Here you can find a REG-file that will fix this little bug: http://tinyurl.com/y6lpa5b (in german only).

  8. NA says:

    From FAQ:

    Do I need to apply updates for both Windows and Exchange?

    For systems that have Microsoft Exchange installed, both the Exchange and Windows update should be applied. If you have the SMTP service enabled but do not run the Exchange service, only the Windows update need be applied.

  9. ananth says:

    If you are running Exchange 2003 or Exchange 2000, you need both the Exchange and Windows patches since they are both rated as important.

    If you are running SMTP service on a Windows only system, you need the Windows update since it is rated as important as well.

    If you are running Exchange 2007 or Exchange 2010, then applying the update is recommended even though it is not rated since it includes a defense-in-depth change. If you are applying the update rollup, you should apply it to all roles.

  10. Forrest C. Shields II says:

    WARNING: We have had this update reset all our SMTP settings (including relay settings) on two different servers.  Both were Windows Server 2008.

  11. Dan Willi says:

    We applied rollup3 to all of our exchange 2010 servers, on our CAS server it crashes our OWA site!  We have to uninstall the rollup to get it working again.  Still looking for a fix!!!

  12. Exchange says:

    Dan – if you are seeing issues, please head over to our Exchange Updates Forum and post there; blog post comments are a pretty poor vehicle for issue troubleshooting.

    http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/threads

  13. DavidJCarr says:

    seems like this rollup will cause issues like rollup 9 did

  14. Arturo Soler says:

    Yes, this update can reset SMTP settings. one of my servers has been the problem and now I’ve read this: http://kbase.gfi.com/showarticle.asp?id=KBID003836

  15. Scott Roberts (Exchange) says:

    For folks with Cluster installs using Exchange 2007 SP2 or Exchange 2010, the rollup will be offered as a silent install via Microsoft Update and WSUS. Having your machine configured for Auto Update may have an impact as the Rollup will be installed on the node that is offered regardless of state of that node. Services will be restarted for that node and if Active – failover will happen.

  16. Exchange says:

    RobertW – We are aware of the issue and hope to address it in a future rollup.

  17. Richard Vetter says:

    Not only did this update wipe out SMTP relay for me, it appears to be causing timeouts. Hotmail.com, works fine, gmail.com (as well as postini), chase.com, and other mail servers drop the connection after it gets to code 354, dropping with with a 451 or 421 code.

  18. Remus Hociota says:

    Hello

    I would like to confirm the problems reported by Richard Vetter above.

    I use Exchange2003 SP2 and after this install I started to get problems with sending emails. A lot of my users get

    Subject: Delivery Status Notification (Failure)

    This is an automatically generated Delivery Status Notification.

    Delivery to the following recipients failed.

    There is definitely a problem with this. For instance for me hotmail.com does not work fine and I get this and no other changes happened on my system aside from this update. And I used to be able to email hotmail just fine a day before the update.

    There was a SMTP communication problem with the recipient’s email

    server.  Please contact your system administrator.

       <mail.eved.com #5.5.0 smtp;550 OU-001 Mail rejected by Windows Live

    Hotmail for policy reasons. Reasons for rejection may be related to

    content with spam-like characteristics or IP/domain reputation problems.

    If you are not an email/network admin please contact your

    E-mail/Internet Service Provider for help. Email/network admins, please

    visit http://postmaster.live.com for email delivery information and

    support>

  19. Scott Landry (MSFT) says:

    Arturo & Richard – We can confirm that there is an issue with the Windows 2008 and Windows 2008 R2 package where the existing configuration including pre-existing relay settings may be lost.  To the best of our knowledge this does not affect any version of Exchange server.  At this time, we are working to list the problem in the Known Issues section of the security bulletin and we are planning to release an update.

    For anyone whose issues are not already discussed (including Remus), would you be willing to open a support ticket with Microsoft?  Please feel free to reach out to me via email for proper follow up.  First.Last@_

  20. Remus Hociota says:

    Guys a small update on my issue. It was caused by our mail server being included on a spamhouse antispam list. This was blocking the mails on other receiving mail servers.

    It just happened in the same time with these updates that’s why was so hard to pinpoint.

    thanks

  21. Doug Swanek says:

    Does SP2 rollout 4 include the DoS patch?

  22. Scott Landry (MSFT) says:

    Yes, SP2 RU4 contains the defense in depth code change for this issue.

  23. Navin says:

    Do I need to install previous roll-ups before installing these??

  24. robdacosta says:

    I have Exchange 2003 on SBS 2003 R2, I need upgrade this exchange to improve mail services.

    _______________________________________

    <a href="http://www.solocigars.com&quot; target="_blank" title="Solo Cigars">Cuban Cigars</a> | <a href="http://www.royalhabanos.com&quot; target="_blank" title="Royal Habanos">Cuban Cigar </a>

  25. John Twilley says:

    We installed Update Rollup 4 for Exchange Server 2007 Service Pack 2 this weekend…

    For some reason, our BIS connected Blackberrys no longer can send/recieve e-mail. (Standard Internet connected Blackberrys)   The BES Blackberrys (Enterprise connected) work just fine.

    Blackberry Support says to call AT&T and T-Mobile…

    Yeah right.

    John

  26. David Aldridge says:

    WARNING

    Exchange 2003 KB976702 effectively breaks Activesync push to IPhones.

    After install Iphones seem to hold the push connection open with lots of cmd=Ping commands.  This causes the battery to drain at a phenomenal rate.

    Examining my Activesync logs before showed no use of cmd=Ping before KB976702, and afterwards it appears every couple of minutes.

    Only work around is to drop Iphones off push and back to fetch :(

    SERIOUSLY NOT IMPRESSED.

  27. Exchange says:

    @David Aldridge:

    David, we are not aware of this problem from what I am finding. Please open up a support case on this! We’d like to see a repro so we can figure it out.

  28. Hakim says:

    We have installed Rollup 4 for exchange 2007 SP2 last week and we are facing lots of issue after installing the same like our Blackberry BIS users is not able to send and receive their email, our mail server being included on a spam house antispam list, this update resetted the SMTP setting and I got the below error also when our pop3 users trying to send any mail to external domain from outside our network.

    “Sending’ reported error (0x800CCC62): ‘Your outgoing (SMTP) e-mail server has reported an internal error. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).”

  29. Ron Cameron says:

    @ David

    Looks like the same thing happened to us – updated the server last night and all the iphones, ipads and Entourage clients stopped working.

    configured my iphone not to push and went into the account turned off mail and turned it back on and it seemed to work.  

    We started getting a bunch of server Acvtivesync warnings (event 3007) since the update.

Comments are closed.

Skip to main content