MS11-025 required on Exchange Server versions released before October 2018


In the security advisories released on 10/09/2018, CVE-2010-3190 was updated to apply to Exchange Server. This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018.

The Exchange team is aware that the installation program for Exchange Server is applying an unpatched version of a Visual Studio released binary which was updated in the package to address CVE-2010-3190.

The Exchange team encourages customers to apply the KB2565063 update described in MS11-025 to all Exchange servers.

This action is necessary to ensure servers are protected against the vulnerability outlined in the advisory.  Windows Update and Microsoft Update will not automatically apply this update to an Exchange Server.  The installation of a cumulative update released prior to October 2018 will overwrite the affected binary even if MS11-025 was previously applied to the server.  The advisory lists the MS11-025 update as important indicating there is low to medium risk associated with the vulnerability.  Microsoft is not aware of any instances where the exploit has been used against an Exchange Server.

Applying this update does not require a reboot of the server or stopping any Exchange services.

The Exchange team considers ensuring the security of your servers and data our top priority.  We have examined the Exchange installation process to identify any additional similar scenarios where dependent binaries are not being properly updated when Exchange is installed.  We have modified Exchange installation so that all cumulative updates released after September 2018 will no longer install dependent Visual Studio binaries.  We have added pre-requisite rules to ensure that the correct version of the Visual C++ and Microsoft Foundation Class (MFC) libraries are installed via their native redistribution package before Exchange installation will proceed.  The steps taken will ensure that the correct versions of system and shared binaries are installed and that Windows Update and Microsoft Update are able to detect the need for any future updates to these dependent binaries.

The Exchange Team

Comments (67)

  1. Mikael S. says:

    Is this for real? The MS11-025 bulletin is from April 12, 2011 (Updated: March 13, 2012). Is it still valid as a vulnerability bug?

  2. @Mikael,

    This is real and the suggested patch is valid.

    The Exchange team considers ensuring the security of your servers and data our top priority. As soon as we learned of this problem we began working on an Exchange fix, which will soon be available. In the meantime we encourage customers to apply the KB2565063 update to all Exchange servers. Microsoft is not aware of any instances where the exploit has been used against Exchange Server.

    1. Mikael S. says:

      Thanks Brent,
      How about the compatability for Exchange Server 2016 on Windows Server 2012 R2 or 2016?

      1. Yes, it’s compatible and should be applied.

  3. Grega says:

    Hi.
    Where is new CU btw?
    It should be here already in September.
    Did this bug delayed it?

    1. @Grega, We have finished work on the cumulative update expected in September and it will be arriving shortly.

  4. Andery says:

    It is require a reboot of the server!

    1. Fabian Kessler says:

      Server 2012 R2 and Exchange 2013 –> No reboot needed
      Server 2016 and Exchange 2016 –> Reboot needed

      1. MarcK4096 says:

        Installed on my failover server (Exchange 2013 on Server 2012 R2) and it requested a reboot at the end informing me that .NET based applications could fail to work until the reboot. I scheduled install to the main production server for off hours after this.

        1. Martin Aigner says:

          Same on an Exchange 2016 Test Server on Windows Server 2016. Asks for reboot or applications dependent on .NET Framework may stop working

      2. I installed the patch on 4 Exchange 2016 servers on Windows Server 2016, no update required.

      3. If you are seeing a reboot on Windows Server 2016, one of two things is happening: 1) This is a Windows deferred reboot from another installation triggering a reboot or 2) Something other than Exchange is loading and using the binaries. It is most likely this is a deferred reboot. Exchange 2016 does not use or load the impacted binaries during server operation and would not force a reboot.

  5. Aleh Alisevich says:

    update supports only win2008R2 and ealier?
    what about Win2016? Ex 2016?

    1. Mikael S. says:

      Good question as it is not mentioned in the support article.
      I hope that MS can clarify if it supports Exchange 2016 on Windows Server 2012 R2 or 2016?

      1. The download only lists those older OS’s, but it does apply new newer OS’s too – so yes, you should install it on Windows 2012 R2 and 2016 as well.

  6. TJ.Hooker74 says:

    Is this also for EX2016 CU10 on SRV2016?
    “Programs & Features” only shows me C++ 2005, 2012 and 2013 but not 2010…

    THX!

  7. Stephen Hudson says:

    Same here…
    Our Server2016/Exchange2016 has only C++ 2012 and C++ 2013 installed.
    So I guess CU11 (when it arrives) will pass the pre-requisite test and install (update) correctly?
    Kind regards
    Stephen

    1. Correct, CU11 does not include the unpatched binary and so will not overwrite the patched file.

  8. Thomas says:

    Hi.
    Would “Security Update For Exchange Server 2013 CU21 (KB4459266)” be enough to cover this one as well (the KB article mentions CVE-2010-3190 as one out of three vulnerabilities being solved)? Or do we need to install the update from MS11-025 separately?

    1. @Thomas, on Exchange 2013 you need to install the MS11-025 update.

      1. Johannes Wein says:

        We have installed KB2565063 (MS11-025 Update). KB4459266 in Windows Update still shows up. Will it disappear or should we hide it via “Hide Update”?

        1. @Johannes, you need to install KB4459266 in addition to the fix outlined in MS11-025. You should not hide the update.

  9. Thomas says:

    C++ 2010 was installed on server 2016 with exchange 2016 CU10. When downloading the update and starting the update I got the question to repair or remove the update. is repairing sufficient to fix the bug or to i have to remove and completely reinstall the update?

    after a repair no reboot was required.

    1. @Thomas, a repair operation will make the necessary changes without the need to uninstall or re-install the update. Repair indicates that the product was detected as previously installed outside of the Exchange installation.

      1. Nick says:

        I did a repair, still shows the vulnerability and file is not patched.

  10. Johannes Wein says:

    When executing the .exe we get a message on some of our Exchange 2013 Servers that it will do a full Installation instead of an Repair. Is the update also required if Microsoft Visual C++ 2010 Service Pack 1 is not installed?

    1. @Johannes, yes this is required until Cumulative Update 11 or later is installed on the server.

      1. Johannes Wein says:

        We allready have CU21 installed. So there´s no need to install the KB2565063 update? This Information should be included in the blog article.

        1. @Johannes, installing Cumulative Update 21 by itself will not resolve this. You must install the KB if it was not installed after the cumulative update was installed, as the cumulative update will overwrite the version previously installed.

          1. Johannes Wein says:

            Regarding to another Article on the web, it´s all about the Version of “C:\Windows\System32\mfc100.dll”?
            On our Exchange 2013 machines on which we have chosen in the Setup Dialog of KB2565063 Option “Repair” we have now:
            ‎Version: 10.0.40219.325
            Modified: June 11th, ‎2011

            On our Exchange 2013 machines with no “Microsoft Visual C++ 2010 Redistributable” installed, (no action was taken by now), we have:
            Version: 10.0.30319.1
            Modified: March 18th, 2010

            The responsible Microsoft Team should put the exact Infromation in the Blog Article how we can determine if the update is A) nessessary B) was installed correctly.

          2. @Johannes, the DLL specifics are outlined in the MS11-025 article. MFC100.dll will be updated, but is not the impacted DLL. The impacted DLL is ATL100.dll.

  11. Don says:

    So just to clarify even if Microsoft Visual C++ 2010 is not listed in Add/Remove Programs this update should be applied?

    What about servers that have the same version currently installed? Should we run the installer again on those servers to re-install with the new binary?

    1. @Don, the answer to both of your questions is yes. If Visual C++ 2010 is not currently installed on your server, once you have deployed Cumulative Update 11 or later, you can remove the Visual C++ package installed by the MS11-025 update.

      1. Don says:

        Thanks Brent that makes sense for Exchange 2016, but what about Exchange 2010 servers that do not have C++ 2010 listed in add/remove programs?

        1. @Don, sorry for not answering your question fully. On Exchange Server 2010, MS11-025 needs to be installed after an Exchange Service Pack is installed. The MS11-025 update needs to remain on the server to ensure that any future updates are offered by Windows Update and Microsoft Update. You will not see Visual C++ 2010 listed in Add/Remove programs on Exchange Server 2010 until after MS11-025 has been applied. You do not need to reapply MS11-025 when applying an Update Rollup.

      2. Stephen Hudson says:

        Hi Brent, I still need this clarified…
        We have Server2016/Exchange2016-CU10
        Only C++ 2012 and C++ 2013 are installed
        Are you saying we have to install KB2565063 (MS11-025), simply to satisfy the pre-requisites of the imminent CU11, Then we can safely uninstall it?

        1. Yes, install KB2565063 (MS11-025) now, and CU11 when it comes out – you should not uninstall KB2565063 (MS11-025) after CU11, just leave it there.

  12. Sandy says:

    I am confused about the re-release of Ex 2016 CU10 with KB4459266 that appears to be replacing the one with KB 4099852. I have already applied CU10. Should I only be applying now the Visual Studio patch and be OK, or this new CU 10 contains additional fixes? And why releasing a CU10 again when CU11 should be the one already available? I am completely confused about the CU numbers unless there was an error on what KB4459266 should really be. Can you clarify?

    1. Sorry if it’s confusing Sandy. It’s a complex issue.

      If you are on 2016 CU10 today, apply the KB2565063 update, then apply CU11 when it comes out. And you’re done. From then on, just keep applying CU12, 13 etc, no need to do anything else.

    2. @Sandy, adding to what Greg has stated. There is no re-release of Cumulative Update 10. KB4459266 is a security update released this month that applies to Cumulative Update 9 and Cumulative Update 10. KB4459266 patches the base cumulative update to address issues unrelated to the Visual Studio binaries. It was not possible to release a single patch covering all three CVE’s reported this month. When patching a server running Cumulative Update 9 or Cumulative Update 10, you need to install two patches this cycle: KB4459266 (CVE-2018-8265 and CVE-2018-8448) and KB2565063 (CVE-2010-3190).

  13. Alex says:

    Any hint if the x86 and/or x64 version of KB2565063 is needed?

    e.g. before the last CU installation, I pre-installed VC++2013 (x64) runtimes, but it seems that the update process was also pulling/installing the x86 version…

    Thx in advance

    1. Ronen says:

      Hello,
      We have exchange 2010 sp3 Cu18, when I`m try to Install KB2565063 update I get a Message:
      repair Microsoft Visual C++2010 X64 Or Remove Microsoft Visual C++2010 X64

      please advise me.
      Ronen

      1. Martin Aigner says:

        This has been answered already above Ronen. A repair does the job you are looking for.

    2. Chris says:

      Can you confirm if we need to install the x86 or x64 version, or both?

      Exchange 2013 CU21, Server 2012R2

      1. @Chris, only the x64 version is required.

        1. Chris says:

          Many thanks.

          Interestingly in my case, the update installed on the CAS servers without requiring a reboot. The mailbox servers all needed a reboot however

  14. Robert Derbyshire says:

    Server 2012 Ex2013 CAS – No restart
    Server 2012 Ex2013 Mailbox Server

    1. Perikles Mourikis says:

      Win 2012R2 + Exch 2013 all 3 servers required a reboot
      One of them had JUST been rebooted, so it is unlikely a previous pending reboot triggered it
      Anyway…

      1. Then maybe something other than Exchange is loading and using the binaries.

  15. Marc says:

    When trying to install KB4459266 on one of our three Exchange 2016 CU10 servers, we receive error 0x800705b4.
    This leaves the Server in an unrecoverable state with all Exchange and some dependent services disabled.
    We tried everything we could find including resetting the windows Update Services and it’s Cache, disabling all anti Virus to no success. Same result when trying to install the update manually with the msp file. We ended up restoring a backup for this server. It came back and was syncing up with the DAG.
    But as soon as we try to install the update, it fails again. The other two server didn’t have any problem with that.
    Any ideas?

    1. Marc, I’d suggest opening a case with support, that’s the best way to get into it and figure out what’s going on.

  16. CGL says:

    Hello,

    I have a few questions:
    1.) For two Exchange 2016 CU2 servers (DAG), what would be the proper upgrade path to avoid this vulnerability?
    2.) Upgrade to CU9 or CU10? Or upgrade to CU8 and install this patch and wait for CU11 to be released?

    1. @CGL, I would recommend you apply the MS11-025 update, then deploy Cumulative Update 11 when it is released.

      1. CGL says:

        Hi Brent, thanks for getting back to me. Do you recommend to update from CU2 to CU8 or to CU10? How long until CU11 comes out? Do you have some steps that you might know on how to properly upgrade from Exchange 2016 CU2 to the latest CU release?

        1. @CGL, given your current condition, I recommend you install .NET 4.7.1 and then immediately upgrade to Cumulative Update 11. Exchange 2013 and later are written to allow in place upgrades from RTM or any cumulative update, to the latest cumulative update for the product version installed. As you can see on previous posts, there are specific releases where we advance the .NET requirement and announce support for a particular version of .NET. The .NET upgrades are highly compatible releases and should not cause you a problem “leapfrogging” from an older unsupported combination to the supported combination of Cumulative Update 11 and .NET 4.7.1.

          We are planning to release Cumulative Update 11 within the next week.

  17. sime3000 says:

    Why is it that for this blog post and others like the Exchange 2019 preview announcement that people are forced to ask obvious questions that should have been answered in the blog post itself?
    You can’t be bothered to take a few minutes to come up with a chart that will answer concerns about different OS and Exchange combinations and KB2565063?
    You cant be bothered to offer basic information that people need to know about the Exchange 2019 preview in that blog post – we have to post basic questions there to get the information?
    You cant be bothered to update the supportability matrix with things like information about support for the presence of Windows 2019 domain controllers ? https://docs.microsoft.com/en-us/exchange/exchange-server-supportability-matrix-exchange-2013-help
    You cant be bothered to post something about the next Cumulative Updates in September when people are expecting it? Someone has to ask an obvious question about it in mid-October to get any information?

  18. HomeCloset says:

    If the Exchange team really considers ensuring the security their top priority, please revise this incompetent blog post to sort out cleanly all the customer confusion demonstrated in the messy comments.

  19. Adonis Bunn says:

    Hello, since you didn’t mention this issue with Exchange Server 2010, I assume that Exchange 2010 is safe. Could you please help me with this question? Tks

    1. “This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018.”

      So yes, it applies to Exchange Server 2010 as well.

  20. Stephen Hudson says:

    Hi Brent/Greg, Quick question;
    I know that, as per this blog, we must install KB2565063 (CVE-2010-3190) C++ patch now.
    But will Exchange 2016 CU11 contain security update KB4459266 (CVE-2018-8265)?
    Kind regards

  21. Todd says:

    Were deployed with Exchange 2013/CU21/Windows Server 2012 R2 X64. The system requirements for this patch do not list our server OS but based on some of the comments we should deploy this patch – specifically ‘Exchange2013-KB4340731-X64-en.msp’ anyways?

    Thanks

    1. Anonymous says:
      (The content was deleted per user request)
    2. Yes Todd, and the KB2565063 update. The download link for Security Update For Exchange Server 2013 CU21 (KB4340731) does list your OS. the x64 annotation isn’t there if that’s confusing you – because you can’t install on x86 anyway.

      1. Todd says:

        Is their a specific order that ‘vcredist_x64.exe’ and ‘Exchange2013-KB4340731-X64-en.msp’ should be installed?

        The confusing part is the system requirements section for KB2565063 update doesn’t list the OS we are deployed on:

        Supported Operating System
        Windows 7, Windows Server 2003 R2 (32-Bit x86), Windows Server 2003 R2 x64 editions, Windows Server 2008 R2, Windows Vista Service Pack 2, Windows XP

        1. No specific order. Just install them both.

Skip to main content