Microsoft Security Bulletin MS11-100 and Exchange Server


On December 29th, Microsoft released Security Bulletin MS11-100 to address a publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. For details about the vulnerabilities, affected software and update information, see MS11-100 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420).

We have completed testing of the security updates on Exchange 2010, Exchange 2007 and Exchange 2003 servers running on the corresponding supported versions of Windows Server – Windows 2008 R2, Windows 2008 and Windows 2003.

We recommend that customers apply the corresponding security update for Windows Server (listed in the security bulletin) on their Exchange 2010, Exchange 2007 and Exchange 2003 servers.

Bharat Suneja

Comments (10)
  1. HotFix says:

    We are a little confused – Is the reason for this post because the security update was an out-of-band release that hadn't officially been tested with Exchange yet and the assumption on our part should be that all regularly monthly security updates have already gone through this type of testing with Exchange – or – is this something new where all security updates regarding integral Exchange pieces like .NET Framework will get an official sign off by the Exchange team in a forum like this?

    The reason I asked is because we had already applied the out-of-band update and we are a little nervous as to why you all officially signed off on it which you usually don't do.

  2. Bharat Suneja [MSFT] says:

    @HotFix: Thanks for the feedback. We frequently get questions about specific updates, particularly the ones that are critical enough to be released "out-of-band" (i.e. between the scheduled monthly updates). Questions such as: does this apply to Exchange Server/Windows Server version xxxx? do I need to apply it on CAS only, or all servers?

    This update also deserves special attention because it was released during a period when many are away celebrating and may have missed it.

    If you proactively review security bulletins and apply updates, you're good. If a security update has been released by Microsoft, you can apply it to affected servers. This post is not a sign-off and no sign-offs are required.

    We've previously blogged about another security update (see Microsoft Security Advisory 2416728, the ASP.NET Vulnerability, and Exchange Server), and will continue to do so as required to address customer questions.

  3. pete says:

    Maybe a stupid question but does TMG provide any protection or does the vulnerability pass right through it, thus affecting an Exchange server?  Thank you.

  4. Bharat Suneja [MSFT] says:

    @Pete: The bulletin inludes multiple vulnerabilities and it'd depend on how TMG's configured. For example, you can be alerted for one of the vulnerabilities if you have the Network Inspection System's IDS signature updated. You can configure TMG to block that traffic instead of alerting. See details and discussion in Forefront TMG – NIS Update for CVE-2011-3414. You'd need to contact the TMG team for more details.

    But TMG can only protect you if the traffic passes through it.

    Regardless, we strongly recommend applying the security updates.

  5. Preston Gallwas says:

    This info is good to have at any rate  – MS11-100 caused a mission critical app to fail on us this morning.  We had to pull the update and inform the vendor.

  6. John says:

    Hello,

    WSUS has presented a number of our Windows 2003 R2 x64 servers (hosting Exchange 2007) with this patch to be installed, however the installation fails on all of them?

    Any advice?

  7. John says:

    Addition to above post: I should clarify that it is specifically the .NET 1.1 version of the patch.

  8. susan says:

    .net installs can be troublesome and sometimes fail.  What's the error code you are getting, and I'd post in either the Exchange software updates forum, a Windows update forum or check out http://www.patchmanagement.org to sign up for and post questions about patching issues.

  9. jc says:

    BONJOUR,

    pourquoi cette mise a jour ne cesse de ce représenter après le téléchargement et l’installation ça fait bien la 20 ème identique que j'installe. assus N71g,  Windows 7 x 64 v 6.1.7601 sp1, IC2 duo, Nvidia Geforce GT 220M.

    merci pour vous réponses.

    cordialement.

  10. Bharat Suneja [MSFT] says:

    @JC: Bonjour. Vous devrez demander que dans un forum de Windows.

Comments are closed.