Well I sat down to write about the new critical security updates Microsoft has released for Exchange 2007, 2010 and 2013, and that simple task has turned into a slightly bigger one.
Let’s get the easy part out of the way first.
Microsoft Security Bulletin MS13-061 (rated Critical) for Exchange Server 2007, 2010 and 2013 has been published.
This security update resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution…
This security update is rated Critical for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.
Head to the Microsoft Exchange Team blog post for the direct links to the download pages for the updates.
You may ask why Exchange 2007 and Exchange 2010 SP2/SP3 are receiving an update rollup whereas Exchange 2013 receives a standalone security update.
This is due to Exchange 2007/2010 continuing to be maintained under the old servicing model (ie update rollups for any type of update) whereas Exchange 2013 is maintained under a new servicing model where individual critical security updates can be released without a full update rollup (or cumulative update as they are now called) being required.
Now for the hard part. The updates that have been released have already been shown to have issues.
- Exchange Server 2007 SP3 Update Rollup 11 – no issues as of the time I’m writing this.
- Exchange Server 2010 SP2 Update Rollup 7 – no issues as of the time I’m writing this.
- Exchange Server 2010 SP3 Update Rollup 2 – the installation prompts for the location of the Exchange 2010 SP3 media. You may need to copy those files back to the location where they were when SP3 was installed, or re-point the installer to their new location. According to my testing that is all that is required to get the update
- Exchange Server 2013 RTM CU1 & CU2 security updates – breaks the content index. More details and remediation steps here. Michel de Rooij has posted a quick script here that can save you some typing.
Another question you may be asking yourself is whether this means you should not deploy the security updates.
That decision is one that you and your organization need to make based on your own risk assessment. These are critical patches though, with potential remote code execution exploits, so you should not disregard them. Despite the issues above there are fixes for them that will still allow you to deploy the updates to secure your servers.
The last question I ask myself “isn’t it just about one year since last time we had to deal with WebReady Document Viewing security related stuff” 🙂 I haven’t even enabled it again since last time at some customers 🙂
Do we really need Webready? Look at all the problems it had over 1 year! Given that CAS can’t be in a DMZ I don’t like putting my internal network at risk when an OWA user views an email message.
I’m looking for conservative, and forward thinking security guidance that would likely have recommended disabling webready a long time ago.
I’d also be interested in disabling other aspects of exchange that are risky, since OWA compression allows for HTTPS/TLS attacks:
Is anyone out there smart enough to tell me a default and secure configuration of Exchange before I dig it up on security forms? Any smart Exchange gurus are wanted!! (please post in the above links if you have something to share)