Home » Blog » Microsoft Releases Critical Security Updates for Exchange Server 2016, 2013, 2010, and 2007

Microsoft Releases Critical Security Updates for Exchange Server 2016, 2013, 2010, and 2007

Microsoft has published security bulletin MS16-108 in September 2016, which includes critical security updates for all currently supported versions of Exchange Server.

Included in MS16-108 are updates to patch remote code execution vulnerabilities in Oracle Outside In libraries, which is third party code that Microsoft licensed for use in Exchange. These Oracle libraries have been the cause of many, many security vulnerabilities in different versions of Exchange Server over the years.

Updates are available for:

If you are running any earlier builds of Exchange not listed above, then you should consider them at risk for this vulnerability.

The timing of these patch releases is such that the next cumulative updates for Exchange 2013 and 2016 could be released any day now. The security updates above will be included in the next cumulative updates. Regardless of the anticipated timing of the CU releases, you should begin your testing and planning to deploy the standalone security updates now, considering they are critical updates. As no details of Exchange 2013 CU14 or Exchange 2016 CU3 have been publicly announced, it’s possible they will contain other functional changes that you need more time to test without delaying these critical security updates.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Blog


  1. Mathew says:

    Hi Paul, If we were running Exchange 2013 CU10 would this require an update to CU12 or CU13 and then apply the patch. I was assuming from what you have above, an update is needed first.

    Thank you for your time,

  2. Jaffar says:

    Hi Paul ,

    Do we need to install this patch even for which has only EDGE Role server also ? and Second question do you recommend install this patch first in Test environment and then too Production environment ?

  3. Mohammad says:

    Hi Paul,

    As this update says as RU15 for Exchange 2010 SP3. Does environment need to be RU14 to install this update?



    • You asked whether anyone faced any issue. Nobody replied. All you can conclude from that is that nobody replied. If you have concerns about a patch you should use a test environment to validate it before you deploy to production.

  4. Ranga says:

    Don’t have test environment Paul. however i did google and following exchange blog no one reported issue with new security update on exchange 2010 sp3 and 2013 cu12 . Only issue in exchange 2016 So I’m fine with that.

Leave a Reply

Your email address will not be published. Required fields are marked *