While checking Reddit this morning I stumbled across this thread discussing a security update released by Microsoft this week for a critical vulnerability in Exchange Server.

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Updates have been released for the following versions of Exchange, and you can download them all here:

  • Exchange Server 2010 SP3 with Update Rollup 21
  • Exchange Server 2013 SP1 (CU4), aka the version that is technically supported these days but please don’t deploy it or stay at this version
  • Exchange Server 2013 CU19
  • Exchange Server 2013 CU20
  • Exchange Server 2016 CU8
  • Exchange Server 2016 CU9

To address a few misconceptions that are coming up in that Reddit thread, and that you might also be wondering about, yes this vulnerability exists in other versions of Exchange not listed above. Those versions are the currently supported versions of Exchange. Any other Exchange Server version, service pack, update rollup, or cumulative update level is not supported and therefore Microsoft doesn’t issue a vulnerability statement or a patch for those versions.

The vulnerability is listed as “not disclosed/not exploited”, and requires a specially crafted email to be sent to the Exchange server. The exact details of what that specially crafted message might look like are not disclosed of course. It’s possible that your email security protection will detect and prevent such an email message from reaching your Exchange server.  However, I don’t recommend that you rely on that mitigation, and instead I recommend you plan to test and deploy the patch to your servers.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Paul

    Please can someone explain to me how you can run the update from an elevated command prompt? It does not offer me that option when right clicking on the update.

    Many Thanks

    1. Avatar photo
      Paul Cunningham

      Open the elevated cmd prompt first, then run the update file from that cmd prompt.

  2. Jason Trimble

    It should be made absolutely clear that you must run this update from an elevated command prompt. Without doing so will cause OWA/ECP failures, among some other possible issues.

    JT

  3. PK

    Pay attention when installing Exchange 2016 CU9 on Windows Server 2016. The following Security Update for Exchange Server 2016 CU9 (KB4092041) causes Error 0x80070643. It disables all Exchange services. They can be manually enabled, but they don´t start anymore and the Security update couldn´t be uninstalled.

    1. PK

      Manually download KB4092041

      Create a file “profile.ps1” in “C:\Windows\System32\WindowsPowerShell\v1.0” containing the following command: New-Alias Stop-SetupService Stop-Service
      (This simply creates an alias that makes Windows think there’s a valid “Stop-SetupService cmdlet)

      Run KB4092041 as Administrator

      Works fine – Thanks to Dominic

      1. Cam

        The above fix did not work for me.

        Says patch install ended prematurely.

        Any thoughts?

        1. Adam

          Same here. One of my Exchange servers has been dead for several days due to this “patch” and the profile.ps1/manual run fix didn’t help.

          1. Aaron

            Same. KB4092041 kills my Exchange 2016 on Server 2016.

            Fresh install of Server 2016, Exchange 2016 CU 9 plus Cumulative Update for Windows Server 2016 for x64-based Systems (KB3206632). No joy with profile.ps1

  4. HaileSelassie

    When applying such security updates, do they have to be removed prior to the next CU update for Exchange 2013/2016?

      1. HaileSelassie

        Thanks for your fast feedback Paul, appreciated

  5. JM

    Is this a continuation of Spectre/Meltdown/TotalMeltdown flaws? What this patch fixes sounds similar to the TotalMeltdown POC that was released back in March.

    Are we certain this fixes older CUs (pre Jan 2018/Dec 2017)?

Leave a Reply