Microsoft has published security bulletin MS16-108 in September 2016, which includes critical security updates for all currently supported versions of Exchange Server.

Included in MS16-108 are updates to patch remote code execution vulnerabilities in Oracle Outside In libraries, which is third party code that Microsoft licensed for use in Exchange. These Oracle libraries have been the cause of many, many security vulnerabilities in different versions of Exchange Server over the years.

Updates are available for:

If you are running any earlier builds of Exchange not listed above, then you should consider them at risk for this vulnerability.

The timing of these patch releases is such that the next cumulative updates for Exchange 2013 and 2016 could be released any day now. The security updates above will be included in the next cumulative updates. Regardless of the anticipated timing of the CU releases, you should begin your testing and planning to deploy the standalone security updates now, considering they are critical updates. As no details of Exchange 2013 CU14 or Exchange 2016 CU3 have been publicly announced, it’s possible they will contain other functional changes that you need more time to test without delaying these critical security updates.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Ranga

    Don’t have test environment Paul. however i did google and following exchange blog no one reported issue with new security update on exchange 2010 sp3 and 2013 cu12 . Only issue in exchange 2016 So I’m fine with that.

  2. Ranga

    Since there is no reply, I will consider no one installed this security update in Exchange 2010 sp3.
    very bad.

    1. Avatar photo
      Paul Cunningham

      You asked whether anyone faced any issue. Nobody replied. All you can conclude from that is that nobody replied. If you have concerns about a patch you should use a test environment to validate it before you deploy to production.

  3. Ranga

    Has anyone faced any issue while installing this patch in Exchange 2010 sp3 UR 14 and Exchange 2013 CU 12?

  4. Mohammad

    Hi Paul,

    As this update says as RU15 for Exchange 2010 SP3. Does environment need to be RU14 to install this update?



  5. Jaffar

    Correct Bulletins didn’t specify that. Alright, I will install that patch in EDGE server also.

  6. Jaffar

    Hi Paul ,

    Do we need to install this patch even for which has only EDGE Role server also ? and Second question do you recommend install this patch first in Test environment and then too Production environment ?

    1. Avatar photo
      Paul Cunningham

      The bulletins don’t seem to specify. I would assume Edge also needs them, unless you can find information that says otherwise.

      Yes, always test patches.

  7. Mathew

    Hi Paul, If we were running Exchange 2013 CU10 would this require an update to CU12 or CU13 and then apply the patch. I was assuming from what you have above, an update is needed first.

    Thank you for your time,

    1. Avatar photo
      Paul Cunningham

      Correct. You should update anyway as you are running an unsupported build.

  8. Navishkar Sadheo

    Thanks Paul

  9. Jack H

    Thanks for doing what you do

Leave a Reply