Now Available: Updated Release of MS13-061 Security Update for Exchange Server 2013


On August 14th, we announced the removal of the MS13-061 Security Update for Exchange Server 2013 due to an issue where the patch changed settings for the search infrastructure, placing the content index for all databases into a failed state.  As of today, we have released updated security updates for both Exchange 2013 RTM CU1 and Exchange 2013 RTM CU2.

Download links for MS13-061:

As always, we recommend you test updates in a lab environment that closely mirrors your production environment prior to deploying in your production environment.

Questions & Answers

Q: What was changed in these patches?

A: The registry settings for the search infrastructure outlined in KB 2879739 are preserved during patch installation.

Q: Was this patch tested in your on-premises environment prior to release?

A: Yes, we tested this in our Exchange Dogfood environment prior to release and validated that the search settings were retained upon installation.

Q: What happens if I uninstall the security update (or any other interim update I receive from Microsoft for Exchange 2013)?

A: You will need to follow the steps identified in KB 2879739, otherwise your search infrastructure will be broken. 

Q: Wait, I thought you fixed that issue; why do I have to follow KB 2879739 if I uninstall?

A: This has to do with the way the search infrastructure is installed during the Cumulative Update.  Unfortunately, this issue cannot be corrected via a patch file; we have to address it in a cumulative update.  We are planning to address this in CU3.

Q: If I uninstall a patch and then install a new patch, do I still have to follow the steps in KB 2879739?

A: Yes.

Q: Will I need to follow KB 2879739 every time I install a patch?

A: No; the installation of a new patch without uninstalling the previous patch will not introduce this behavior.

Ross Smith IV
Principal Program Manager
Exchange Customer Experience

Comments (24)
  1. Color me cynical but says:

    how many people actually dogfood the patch this time? Was it more than a handful? Did Ballmer himself test this before placing the onus on other companies to do the same or are you expecting us to again beta test barely tested code?

  2. itworkedinthelab says:

    leave balmer alone:)

    he has enough worries(has a lot of packing)

    the code was tested in iran it works fine:)

  3. zumarek says:

    Color me cynical but

    Stay on Exchange 2010 and you will be fine.

  4. ABCFED says:

    Ross, can you please confirm that the entire Exchange product team is now running Exchange with this patch?  If not, I'll pass until others test it first.

  5. Name says:

    What a mess exchange had become lately.

  6. Color Me Unprofessional but says:

    I like to blast any and all patches, upgrades, etc straight into production without testing myself.  Once done, and if there are problems, I'll take to the internetz and display my vast intellect by whining on comment boards.

  7. John B says:

    For the people who never stop complaining on this site. You can always switch to GroupWise and leave the rest of us alone. Otherwise, shut the (eff) up….

  8. catch22 says:

    So, Microsoft not testing patches adequately for the past year is a-okay, but people coming to complain on this blog over the last year of shitty patches and crashing test and production servers for critical patches is a problem?

  9. @John B says:

    is GroupWise like Groupon?

    never heard of it:)

  10. Anonymous says:

    expired.aspx is not support upn auth. exch 2013 need more to gain money to live on.

  11. BT says:

    Ross Smith,

    I want to know the answer to just one question.

    Are you (Ross Smith) currently running on your production Microsoft Exchange server mailbox that you use for  work Outlook access with this specific patch applied?

  12. Brian Day [MSFT] says:

    @BT, I can't speak for Ross, but my corporate mailbox is certainly on it and search is working great.

  13. Paul Cunningham says:

    I've installed the new update on my CU2 test servers and they seem fine. No issues that I can see so far.

  14. Benoit Boudeville says:

    Will this update have to be removed prior to upgrade to CU3 ? Given that the issue can only reoccur in a removal sequence of the MSP itself, having to remove it before CU3 would be painful. Now if it is just like MSPs Rollups we had in Ex2007/Ex2010 and since installing a CU is similar to installing a SP and that it was not an issue then, will this be the same? (cross fingers that yes :p)

  15. Ross Smith IV says:

    @ABCFED – the Exchange PG is dispersed across multiple different environments; some are in the multi-tenant service, some are in our Exchange Dogfood forest, some are in the corporate environment, and even a few are in the Office 365-Dedicated environment.  So not all of them have this specific patch installed; some have the Exchange 2010 patch installed; some have had new builds of Exchange 2013 installed that already include the security update.

    @BT – Yes, my mailbox is on an on-premises E2013 RTM CU2 server and the patch is installed.  Please remember, the updated security binaries were not the issue with the recall; it was a setup issue (specific to how Search Foundation is installed) that caused the problem.  The updated binaries have nothing to do with search.

    @Benoit – This update will not need to be removed in order to install CU3 (or a later CU in the event you don't deploy CU3).

  16. BT says:

    Ross Smith,

    So you have not dogfooded the product yourself, yet you write an article recommending others to apply this patch. Understood.

  17. Should this security update be installed on Exchange 2013 server with dedicated CAS role?

    After installing on a dedicated Exchange 2013 CAS server I see a new disabled service: Microsoft Exchange Search Host Controller

    Martijn

  18. ABCFED says:

    Thank you for clarifying.

    As I understand it, the Exchange team had split their mailbox usage among Exchange 2010, Exchange 2013, and Office 365 back end services. All of those services have the latest updates applied before releasing them to the public and a number of Exchange coders are utilizing the latest product patches themselves currently.

    Perfect. Not sure what the others are complaining about here with that enlightenment. Sounds like everything is working correctly in development and the patches are in fact being tested with live Microsoft users. Sounds like you are on the right track and I look forward to applying this update for my customers.

    :)

  19. Ross Smith IV says:

    @BT – I am not sure where you derived that statement as it isn't what I said.

  20. Ross Smith IV says:

    @Benoit – one clarifying comment; if you are on CU2 (or later) than you can go to a newer CU without uninstalling Interim Updates or security patches prior to install.  For RTM and CU1, you will have to uninstall the security update (or interim update) prior to installing a new CU (like CU2).

  21. Should this security update be installed on Exchange 2013 CU2 server with dedicated CAS role?

    After installing on a dedicated Exchange 2013 CU2 CAS server I see a new disabled service: Microsoft Exchange Search Host Controller. Note: this security update has not been installed before (new installation).

    Installation on dedicated Exchange 2013 CU2 Mailbox server goes without problems.

    Martijn

  22. @Martijn – Our recommendation is that all servers be updated.  On a dedicated CAS server the binaries that are affected by the security vulnerability are installed and we want to make certain that they are updated.  You are correct that on a dedicated CAS server, because there are no Information Store processes, search is not present on this box so the work around is not required.  Further, the recommendation is that the updated patch be applied to ensure that there are no problems servicing the server in the future.

  23. @Brent,

    After installing on a dedicated Exchange 2013 CU2 CAS server I see a new disabled service: Microsoft Exchange Search Host Controller. Note: this security update has not been installed before (new installation).

    So, a new disabled service (Microsoft Exchange Search Host Controller) is 'by design'?

    Martijn

  24. Cowardly says:

    @ BT – I wonder if you would be so rude if you were speaking to the Exchange Product Team in person.  If you hate the way the patches and updates are tested, why are you even using Exchange?  Maybe it's time to find a new mail solution or time for you to find a new specialty.

Comments are closed.