Released: Microsoft Security Bulletin MS13-105 for Exchange


Today the Exchange team released security bulletin MS13-105. Updates are being made available for the following versions of Exchange Server:

  • Exchange Server 2007 SP3
  • Exchange Server 2010 SP2
  • Exchange Server 2010 SP3
  • Exchange Server 2013 CU2
  • Exchange Server 2013 CU3

Customers who are not running one of these versions will need to upgrade to an appropriate version in order to receive the update.

Security bulletin MS13-105 contains details about the issues resolved, including download links.

For Exchange Server 2007/2010 customers, the update is being delivered via an Update Rollup per standard practice. Due to the timing of the release of our most recent Update Rollups, the only difference between the previously released Update Rollup and the Security Update Rollup released today is the inclusion of the security updates identified in MS13-105. We did not include updates for any other customer reported issues in these packages to ease their adoption.

For Exchange Server 2013 customers, security updates are always delivered as discrete updates and contain no other updates. Security updates for Exchange 2013 are cumulative in nature based upon a given Cumulative Update. This means customers who are running CU2 who have not deployed MS13-061 can move straight to the MS13-105 update because it will contain both security updates. Customers who are already running MS13-061 on CU2 may install MS13-105 on top of MS13-061 without removing the previous security update. If MS13-061 was previously deployed, Add/Remove Programs will indicate that both updates are installed. If MS13-061 was not previously deployed, only MS13-105 will appear in Add/Remove Programs.

These updates are being made available via Microsoft Update and on the Microsoft Download Center.

Exchange Team

Comments (64)
  1. Anonymous says:

    We’re running Exchange 2010 SP3 RU4 here without any problems

  2. Anonymous says:

    zxc

  3. Anonymous says:

    Its been a while, just wanted to hear back from some people on thoughts about installing RU4 for 2010 SP3. It seems a few are having issues but they don’t specify version. I would like to upgrade to this but was holding our for more info.

  4. Anonymous says:

    After installing RU4 for security related reasons I have installed RU3. Now category view is broken in outlook 2010. Weird issues when switching from inbox to another folder it shows old emails, when you go back to inbox and back to folder it displays correct emails. Again go back to inbox and back to folder and old emails are displayed, back to inbox back to folder and all emails are there. (non cached mode)
    Having intermittent backup problems now, not sure if it is related but my faith in these roll ups are gone.
    Exchange 2010 SP3 RU4.

  5. Anonymous says:

    Do not upgrade to ru4. Still buggy.

  6. Anonymous says:

    Running without problems on ~70 servers here (SP3RU4).

  7. Anonymous says:

    Greg
    As to my post from 16 Dec 2013 3:04 PM related to Outlook Credentials. Problem was traced to autodiscover issue. where client was not able to authenticate. All services were running, iisreset did not help. An additional restart of Exch Server solved the problem. Still don’t know the reason.

  8. Anonymous says:

    I believe no one who claims to have an Exchange 2013 organization running on 70 server with no problems at all. That is simply impossible to believe.

  9. Anonymous says:

    2010 SP3 RU3 Good to Go? Less issues with RU3 compared to RU4?

  10. Anonymous says:

    Oh wait, I see you stated “Exchange 2013 coding is an unmitigated disaster”. Still trying to figure out if RU4 is OK for 2010 Exchange. Seems like only a few may have some slight issues with it.

  11. Anonymous says:

    Still issues with RU4. Can’t get the test lab to work after installing. Breaks and destroys CAS services willy-nilly. Exchange 2013 coding is an unmitigated disaster. Months, aw hell let’s be honest here, more than a year after release it’s buggier than Herbie and runs about as well as Lindsey Lohan.

  12. Anonymous says:

    Great job Microsoft. Just ran ru4 last night. Now Outlook continually prompts the users for a password. I’ve already opened a ticket and am awaiting a callback from professional support. Way to completely ***-up an update yet again.

  13. Anonymous says:

    Well, 2 weeks on, we haven’t rolled this out (current 2010 SP3 RU2). The decision comes down to possible security risk vs causing known problems with the 2010 SP3 RU3 bugs. Our customers won’t tolerate broken products. Any simple dogfood testing of the RU3 patch for a week would have picked up these bugs.

  14. Anonymous says:

    I do have 2010 SP3 RU4 running in a test env. but we don’t do much of any testing with it unless someone reports it here, then i go and try and validate it. Our prod env. is more more complicated than our test env. so putting the RUs in our test env really doesn’t validate anything other than it doesn’t blow up the servers.

  15. Anonymous says:

    To the post above me, are you running 2010 or 2013?

  16. Anonymous says:

    As I see by BSOD-dump, it is because of Health Monitoring service:

    Debugging Details:
    ——————
    Page 785dd not present in the dump file. Type “.hh dbgerr004” for details
    PROCESS_OBJECT: fffffa80143727f0
    DEBUG_FLR_IMAGE_TIMESTAMP: 0
    MODULE_NAME: wininit
    FAULTING_MODULE: 0000000000000000
    PROCESS_NAME: MSExchangeHMWo
    BUGCHECK_STR: 0xF4_MSExchangeHMWo
    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
    CURRENT_IRQL: 0
    LAST_CONTROL_TRANSFER: from fffff80001c57ab2 to fffff800018c9bc0
    STACK_TEXT:
    fffff880`0a2d0b08 fffff800`01c57ab2 : 00000000`000000f4 00000000`00000003 fffffa80`143727f0 fffffa80`14372ad0 : nt!KeBugCheckEx
    fffff880`0a2d0b10 fffff800`01c02abb : ffffffff`ffffffff fffffa80`182f1060 fffffa80`143727f0 fffffa80`17d38060 : nt!PspCatchCriticalBreak+0x92
    fffff880`0a2d0b50 fffff800`01b82674 : ffffffff`ffffffff 00000000`00000001 fffffa80`143727f0 00000000`00000008 : nt! ?? ::NNGAKEGL::`string’+0x17486
    fffff880`0a2d0ba0 fffff800`018c8e53 : fffffa80`143727f0 fffff880`ffffffff fffffa80`182f1060 00000000`00000000 : nt!NtTerminateProcess+0xf4
    fffff880`0a2d0c20 00000000`77a8157a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`2a93d1e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77a8157a

    STACK_COMMAND: kb
    FOLLOWUP_NAME: MachineOwner
    IMAGE_NAME: wininit.exe
    FAILURE_BUCKET_ID: X64_0xF4_MSExchangeHMWo_IMAGE_wininit.exe
    BUCKET_ID: X64_0xF4_MSExchangeHMWo_IMAGE_wininit.exe
    Followup: MachineOwner

  17. Anonymous says:

    After this update also on one of mailbox-server in DAG appears BSODs with CRITICAL_OBJECT_TERMINATION daily. Before update server was stable…

  18. Rhys says:

    Anyone seeing any news of this being used in the wild? It sounds like it has serious potential.

    Untested patch and 2010 SP3 RU3 problems VS a known serious vulnerability?

  19. Sean says:

    So do we need to re-download and re-run the CU (ex 2010)?

  20. @Sean, can you expand on that question? Exchange 2010 only has RUs and SPs. For example you previously installed 2010 SP3 RU3, then all you need to do is download and install 2010 SP3 RU4 to get the security update for MS13-105 in addition to the other updates provided in RU1 through RU3.

  21. Just did RU11 says:

    Can I just patch 2007SP3 CAS since this is just the security fix without having to update CCR?

  22. @Just did RU11 – Our recommendation is that customers deploy a consistent version of any Update Rollup across all servers in their environment.  We support co-existence of versions for the period of time it takes a customer to deploy an update, which we presume to be a temporary condition.

  23. Does by installing this Cumulative update or Update Roll Up means we need to perform uninstallation again when the next CU or Service Pack needs to be deployed ?

  24. Frank T says:

    "Server Support Specialist" – this is a full CU / RU which means you don't need to uninstall it. The next one, when it comes out, would just go over top of it. It's not an Interim Update.

  25. @Server Support Specialist – For 2013 you do NOT need to uninstall the security update to move to the next Cumulative Update or Service Pack.  Similarly, for 2007/2010 you do NOT need to uninstall Update Rollups to move to the next Update Rollup or Service Pack.

    Today we require that any Interim Updates you have may have received from support to be uninstalled before moving to a later Update Rollup, Cumulative Update or Service Pack.  We are working to remove this requirement in future builds of 2013.

  26. Martin says:

    Does Rollup 12 for Exchange 2007 fix the IE 11 OWA Problem? I can't find any information … Thanks

  27. Bharat Suneja [MSFT] says:

    @Server Support Specialist: No, you won't need to uninstall an Exchange 2010/2007 update roll-up to install the next update rollup (or service pack). Similarly, you won't need to uninstall an Exchange 2013 CU to install the next CU.

  28. Bharat Suneja [MSFT] says:

    @Martin: Please note, mainstream support for Exchange 2007 ended in 2012. Exchange 2007 SP3 RU7 was the last Exchange 2007 update released under mainstream support. The

    RU7 release announcement
    includes this info.

    Microsoft Product Lifecycle has support dates for Exchange 2007. Also see

    Microsoft Support Lifecycle Policy FAQ
    , which includes details about availability of non-security hotfixes during extended support.

  29. John says:

    Please can you clarify that these vulnerabilities just affect CAS servers?  I'd like to patch them ASAP if that is the case.  Patching DAG/CCRs will take much longer and require organized down-time.  I'm unsure whether I'll be able to get that just before the holidays.

    Of course, this will be just a case of timing, rather than leaving DAG servers unpatched.

  30. tech4 says:

    Few days back , Microsoft released RU3 and in a few days they released RU4. Can anyone tell me that if we still havent deploy RU3 in the environment so do we install RU4 directly on the server? is all the fixes that were part of RU3 are there in RU4

  31. @Tech – Everything contained in RU3 is in RU4 as well.  You may go directly to RU4 and receive all the benefits of RU3 as well.

    @John – If your DAG's and CCR's do NOT have the CAS ros installed, then updating your CAS roles only will address all of the vulnerabilities.  However, as previously mentioned the recommendation is that this be a temporary state to achieve your deployment requirements and that all roles should be updated.

  32. Jason says:

    I am planning on doing an upgrade from 2010 SP2 RU5v2 to 2010 SP3 latest RU.  So is this security bulletin considered RU4 now?

    So in order to do my upgrade I would just have to install SP3 first, and then this security update (RU4?) as it includes everything from RU1-RU3, Correct?

  33. Bharat Suneja [MSFT] says:

    @Jason: That's right – because RUs are cumulative, RU4 includes all updates included in RU1-RU3, in addition to the security update.

  34. Marco Novelli says:

    How slow is installing that patch on Exchange 2013 CU3?

    On my Exchange 2013 VM (4vCPU, 32 GB RAM, RAID10 storage) the patch is running since 30 minutes!

  35. MS says:

    MS13-105 first states that "The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server."

    Than later in the MS13-105 in "MAC Disabled Vulnerability – CVE-2013-1330" FAQ it states that "An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Local System service account."

    Also, FAQ for "MAC Disabled Vulnerability – CVE-2013-1330" states that the attack vector is "In an attack scenario, the attacker could send specially crafted content to the target server.

    I am not certain if I understood this correctly. Is it really possible for attacker to send specially crafted content to target Exchange server and get local system service account access, without any action from user? If so, than this definitely is more serious vulnerability than those for WebReady Document Vieweing and Data Loss Prevention.

    Thanks for any clarification …

  36. @MS – The statement that the WebReady Document Viewing and Data Loss Prevention vulnerabilities are of greater importance reflects that these have already been publicly disclosed.  The MAC Disabled Vulnerability was not known until our bulletin was released.  As the bulletin states, both issues have received a critical rating indicating that we encourage customers to address both issues as quickly as possible.

  37. Scott Thompson says:

    MS13-105 on Exchange 2007 SP3 causes OWA to stop working.  No images are available and the pages only partially display.

  38. @Scott Thompson – MS13-105 has been validated in multiple customer environments and not shown this condition.  Please work through support channels to properly diagnose the issue you are seeing.

  39. Sean says:

    @Brian Ignore me–mis-read the article. I just need to install UR4

  40. tech4 says:

    Thanks brent.

    There are so many issues in RU3 related to IE and outlook , is this fixed in RU4. Anyone who already applied RU4 in the environment?

    Is RU4 is reliable?

  41. greg says:

    Hi guys!

    I installed this one on one of my Exchange servers and Firefox OWA problem is gone.

    No more memory and CPU eating :)

    Anyone else has the same effect?

  42. GregA says:

    Disregard above post.

    I was just one time that all worked OK, now again memory leak appeared :(

  43. After installing of this fix – all performance counters (we are using Zabbix for monitoring) are disappeared.

    Exchange Team – are you using QA in development or using only customers for this? Still having WinXP issues with Public Folders after "stable" CU3 update. So mad.

  44. D says:

    @Scott Thompson, Scott, I had the same issue, but on running the RU again the problem was resolved.  On investigating it seems to be a common issue with rollups.

    exchangeserverpro.com/exchange-2007-owa-stops-working-with-reason0-error

    and

    Also search for "exchange 2007 ru reason=0" and there are plenty of threads to choose from.

  45. After update cannot add perf counters for queues:

    MSExchangeTransport Queues(*)

    Counters not appears

  46. MS says:

    @Brent – thanks for clarifying. I still think that "MAC Disabled Vulnerability – CVE-2013-1330" is much more serious problem, and Exploitability Index in "technet.microsoft.com/…/ms13-dec" seems to point in that direction.

    I just hope everything goes well with applying this rollup …

    Can anyone tell me what is the average time needed for Rollup update 8 to finish installing? … is service unavailable to user the whole time or?

    Thanks.

  47. Phil says:

    Folks, a gentle reminder that this post relates to five different builds of Exchange.  Please state which one applies to your situation.

    Thanks in advance.

  48. DodgedTheQuestion says:

    Bharat – you didn't answer Martin's question with this response:

    @Martin: Please note, mainstream support for Exchange 2007 ended in 2012. Exchange 2007 SP3 RU7 was the last Exchange 2007 update released under mainstream support. The RU7 release announcement includes this info.

    That's all well and good but does the latest update for Exchange 2007 address the Internet Explorer 11 issues as seen (and fixed) in Exchange 2010 and 2013?

    One could infer with your dodging the question that the answer is no, but we shouldn't have to assume anythign here on what would normally be a clear yes or no question.

  49. Bharat Suneja [MSFT] says:

    @DodgeTheQuestion: No, it does not.

    No intention to dodge the question here. I pointed to the lifecycle policy docs. The FAQ  indicates that non-security hotfix support "Requires extended hotfix agreement, purchased within 90 days of mainstream support ending."

    I’ve also linked to the
    Exchange 2007 SP3 RU7 release
    post from April 2012, which includes the following support statement:

    Support lifecycle statement: This is the final release under standard support for Exchange 2007, as the Exchange 2007 Mainstream Support has now ended. Extended Support for Exchange 2007
    SP3 will end on 4/11/2017. Please see the
    Microsoft Support Lifecycle
    page for more information about Microsoft Support Lifecycle for Exchange 2007. Got questions about Microsoft Support Lifecycle Policy? Head over to
    Microsoft Support Lifecycle Policy FAQ.

    To be clear, only security-related fixes are provided when a product is on extended support, unless you have an extended hotfix agreement. IE11 support in Exchange 2007 is an example of a fix that isn’t security-related, and  would require an extended hotfix
    agreement.

  50. Scott Thompson says:

    @D  Thank you, that fixed the issue first time!  Thank you for being so helpful.  OWA now works as before.

  51. Martin says:

    Still lot of customer facing issue with outlook freezing after deploying RU3. I think installing the RU4 is risky because it contains the RU3 hotfixes as well.

  52. Outlook Credentials issues says:

    After applying MS13-105 over Ex 2013 CU3, the old problem with returning MS Outlook 2010 Credentials come back. Now, every time when opening outlook and time to time during the day a window pops up asking for password. This problem existed in RTM, but was gone in CU1, CU2, CU2U2 and CU3. After applying 13-105 it’s back and it’s a nightmare again.

    greg

  53. tony says:

    Can anyone pitch in on the Outlook credentials issue being back in CU4? Anyone else experience it with their users? We are still holding on to install it until we get more reports…

  54. Oli says:

    Prompts for Outlook Credentials issues are often a client problem.
    Check:
    * IE Proxy settings, disable it for testing
    * Windows Password Vault, delete all entries
    * delete, cleanup , create new Outlook Profile

    rd %USERPROFILE%AppDataRoamingMicrosoftOutlook
    rd %USERPROFILE%AppDataLocalMicrosoftFORMS
    rd %USERPROFILE%AppDataLocalMicrosoftOutlook

  55. Oli says:

    Prompts for Outlook Credentials issues are often a client problem.
    Check:
    * IE Proxy settings, disable it for testing
    * Windows Password Vault, delete all entries
    * delete, cleanup , create new Outlook Profile

    rd %USERPROFILE%AppDataRoamingMicrosoftOutlook
    rd %USERPROFILE%AppDataLocalMicrosoftFORMS
    rd %USERPROFILE%AppDataLocalMicrosoftOutlook

  56. scott w says:

    We had the same issue as @Scott Thompson. Patch loaded, server rebooted and OWA full page was blank. Reapplied the Rollup per @D’s suggestion and did not have to reboot. Fixed our issue. Some services were stopped during update so I think you may still have to perform the rollup after hours.

  57. scott w says:

    We had the same issue as @Scott Thompson. Patch loaded, server rebooted and OWA full page was blank. Reapplied the Rollup per @D’s suggestion and did not have to reboot. Fixed our issue. Some services were stopped during update so I think you may still have to perform the rollup after hours.

  58. scott w says:

    We had the same issue as @Scott Thompson. Patch loaded, server rebooted and OWA full page was blank. Reapplied the Rollup per @D’s suggestion and did not have to reboot. Fixed our issue. Some services were stopped during update so I think you may still have to perform the rollup after hours.

  59. scott w says:

    We had the same issue as @Scott Thompson. Patch loaded, server rebooted and OWA full page was blank. Reapplied the Rollup per @D’s suggestion and did not have to reboot. Fixed our issue. Some services were stopped during update so I think you may still have to perform the rollup after hours.

  60. Sebastien says:

    For Category view bug in Outlook (Mode Online), a KB will be release in few days.
    The bug isn’t present in Outlook Cache Mode.
    A workarround is to create an Outlook rule (with ECP or Outlook client) which apply a default category to all new mail.
    The bug will be fix in RU6.

  61. zuababa says:

    So once again – to install UR4 do I need to have UR1, UR2 and UR3 installed first or is it enough to directly install latest one and it will cover previous ones?

    The premium view for IE11 is fixed already in UR3?

  62. Phil says:

    @zuababa Rollups are cumulative, so you can apply Exchange 2010 RU4 directly after SP3

  63. tech4 says:

    Last weekend we installed the RU4 on the server and suddenly we faced issue with conference room booking the error is "“Can’t directly book a resource for this meeting” in outlook 2007. i have to remove the free busy from mfcmapi then it works. We also
    have the public folder mounted any idea? any patch for outlook or exchange for that?

  64. tony says:

    Guys, when you post your issues, please specify Exchange version you are running (2010, 2013 etc). Otherwise it’s impossible to tell which version you are having (or not having) issues with. Thanks!

Comments are closed.