Microsoft has released an important security update for Exchange Server 2013. The bulletin MS15-064 states:
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.
The update is available for Exchange Server 2013 SP1 (CU4) and CU8. The update will also be included in CU9 and all future cumulative updates.
- Security update for Exchange Server 2013 CU8 (KB3062157)
- Security update for Exchange Server 2013 SP1 (KB3062157)
Note: There are reports such as those in the comments below that this update causes problems in some CU8 environments. If your testing reveals the same issue in your own environment I recommend uninstalling the update, and then evaluating and deploying CU9 instead.