In the security advisories released on 10/09/2018, CVE-2010-3190 was updated to apply to Exchange Server. This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018.
The Exchange team is aware that the installation program for Exchange Server is applying an unpatched version of a Visual Studio released binary which was updated in the package to address CVE-2010-3190.
This action is necessary to ensure servers are protected against the vulnerability outlined in the advisory. Windows Update and Microsoft Update will not automatically apply this update to an Exchange Server. The installation of a cumulative update released prior to October 2018 will overwrite the affected binary even if MS11-025 was previously applied to the server. The advisory lists the MS11-025 update as important indicating there is low to medium risk associated with the vulnerability. Microsoft is not aware of any instances where the exploit has been used against an Exchange Server.
Applying this update does not require a reboot of the server or stopping any Exchange services.
The Exchange team considers ensuring the security of your servers and data our top priority. We have examined the Exchange installation process to identify any additional similar scenarios where dependent binaries are not being properly updated when Exchange is installed. We have modified Exchange installation so that all cumulative updates released after September 2018 will no longer install dependent Visual Studio binaries. We have added pre-requisite rules to ensure that the correct version of the Visual C++ and Microsoft Foundation Class (MFC) libraries are installed via their native redistribution package before Exchange installation will proceed. The steps taken will ensure that the correct versions of system and shared binaries are installed and that Windows Update and Microsoft Update are able to detect the need for any future updates to these dependent binaries.