Home » Blog » MS15-064 – Important Security Update for Exchange Server 2013

MS15-064 – Important Security Update for Exchange Server 2013

Microsoft has released an important security update for Exchange Server 2013. The bulletin MS15-064 states:

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.

The update is available for Exchange Server 2013 SP1 (CU4) and CU8. The update will also be included in CU9 and all future cumulative updates.

Note: There are reports such as those in the comments below that this update causes problems in some CU8 environments. If your testing reveals the same issue in your own environment I recommend uninstalling the update, and then evaluating and deploying CU9 instead.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Blog

13 comments

  1. Edwin says:

    Any known problems with this update?
    I just installed it on our 2013 cu4 POC and after logging in to the ecp i got an error.
    Trouble is i forgot to write down what the error exactly said, i just uninstalled it.

    Some yellow letters about somtehing that couldnt be found…

    • Rolf A. Vaglid says:

      I experienced errors on ECP and OWA on two dedicated MBX-server installed directly using CU8 after installing this update.

      Uninstalling the update fixed the issue, so I’m bound to stay clear of this update for a while, leaving the customers Exchange-servers vulnerable…

      Event code: 3008
      Event message: A configuration error has occurred.
      Event time: 11.06.2015 13:44:00
      Event time (UTC): 11.06.2015 11:44:00
      Event ID: 9e2c3121221e4063b7b8758500d7bb07
      Event sequence: 5
      Event occurrence: 1
      Event detail code: 0

      Application information:
      Application domain: /LM/W3SVC/2/ROOT/ecp-1-130784966371187422
      Trust level: Full
      Application Virtual Path: /ecp
      Application Path: C:Program FilesMicrosoftExchange ServerV15ClientAccessecp
      Machine name: E15MBX01

      Process information:
      Process ID: 5200
      Process name: w3wp.exe
      Account name: NT AUTHORITYSYSTEM

      Exception information:
      Exception type: ConfigurationErrorsException
      Exception message: Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.
      at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
      at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.HttpApplication.BuildIntegratedModuleCollection(List1 moduleList)
      at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
      at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
      at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
      at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
      at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

      Could not load file or assembly 'Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
      at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type)
      at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName)
      at System.Type.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase)
      at System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase)
      at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)

      Request information:
      Request URL: https://localhost:444/ecp/exhealth.check
      Request path: /ecp/exhealth.check
      User host address: 127.0.0.1
      User:
      Is authenticated: False
      Authentication Type:
      Thread account name: NT AUTHORITYSYSTEM

      Thread information:
      Thread ID: 11
      Thread account name: NT AUTHORITYSYSTEM
      Is impersonating: False
      Stack trace: at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
      at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.HttpApplication.BuildIntegratedModuleCollection(List
      1 moduleList)
      at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
      at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
      at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
      at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
      at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

  2. Rolf A. Vaglid says:

    Now I even got the same error after installing this update at another customer, this one running a two-node DAG with multirole (CAS and MBX) CU8 servers.

    Server Error in ‘/ecp’ Application.
    ——————————————————————————–
    Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

    And then the same errors in the applog…
    I’ll uninstall this. I’m curious if I’ll get the same error when installing CU9 as this update is included in CU9.

    I really can’t believe I’m the only one experiencing this. 🙂

    • edwin says:

      I too had the exact same error, only i forgot to copy it.
      I’m in the middle of a migration from 2010 to 2013, and still testing so i just uninstalled it, but the error was the same.

  3. EricW says:

    I had 2 issues when installing in my test environment. 4 multi role servers in a DAG running CU8.

    1) After rebooting the “Microsoft Exchange Search Host Controller” service was changed to ‘disabled’ and this caused issues with indexing on the databases. Changing it to Auto and starting the service resolved the problem.

    2) On 2 of the 4 systems experienced the same ECP/OWA errors listed above when attempting to access OWA or ECP.

    Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35′ or one of its dependencies. The system cannot find the file specified.

    I resolved this issue by hardcoding the BinSeaarchFolders path in IIS as documented in the following technet forum:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5259018c-aec7-4490-a500-e1af54798f14/exchange-2013-ecp-error-line-43?forum=exchangesvrgeneral

Leave a Reply

Your email address will not be published. Required fields are marked *