Microsoft has released an important security update for Exchange Server 2013. The bulletin MS15-064 states:

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.

The update is available for Exchange Server 2013 SP1 (CU4) and CU8. The update will also be included in CU9 and all future cumulative updates.

Note: There are reports such as those in the comments below that this update causes problems in some CU8 environments. If your testing reveals the same issue in your own environment I recommend uninstalling the update, and then evaluating and deploying CU9 instead.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. EricW

    I had 2 issues when installing in my test environment. 4 multi role servers in a DAG running CU8.

    1) After rebooting the “Microsoft Exchange Search Host Controller” service was changed to ‘disabled’ and this caused issues with indexing on the databases. Changing it to Auto and starting the service resolved the problem.

    2) On 2 of the 4 systems experienced the same ECP/OWA errors listed above when attempting to access OWA or ECP.

    Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35′ or one of its dependencies. The system cannot find the file specified.

    I resolved this issue by hardcoding the BinSeaarchFolders path in IIS as documented in the following technet forum:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5259018c-aec7-4490-a500-e1af54798f14/exchange-2013-ecp-error-line-43?forum=exchangesvrgeneral

  2. Rob Derbyshire

    What is the recommendation for those running CU7 Paul?

    1. Avatar photo
      Paul Cunningham

      The release of CU9 this week means CU7 is now out of support. You should plan to upgrade to one of the supported CUs.

  3. Rolf A. Vaglid

    Now I even got the same error after installing this update at another customer, this one running a two-node DAG with multirole (CAS and MBX) CU8 servers.

    Server Error in ‘/ecp’ Application.
    ——————————————————————————–
    Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

    And then the same errors in the applog…
    I’ll uninstall this. I’m curious if I’ll get the same error when installing CU9 as this update is included in CU9.

    I really can’t believe I’m the only one experiencing this. 🙂

    1. edwin

      I too had the exact same error, only i forgot to copy it.
      I’m in the middle of a migration from 2010 to 2013, and still testing so i just uninstalled it, but the error was the same.

      1. Rolf A. Vaglid

        Installed CU9 after uninstalling the update, no errors. 🙂

  4. Edwin

    Any known problems with this update?
    I just installed it on our 2013 cu4 POC and after logging in to the ecp i got an error.
    Trouble is i forgot to write down what the error exactly said, i just uninstalled it.

    Some yellow letters about somtehing that couldnt be found…

    1. Avatar photo
      Paul Cunningham

      I have heard no other reports of yellow letters about something that couldn’t be found after installing this update.

    2. Rolf A. Vaglid

      I experienced errors on ECP and OWA on two dedicated MBX-server installed directly using CU8 after installing this update.

      Uninstalling the update fixed the issue, so I’m bound to stay clear of this update for a while, leaving the customers Exchange-servers vulnerable…

      Event code: 3008
      Event message: A configuration error has occurred.
      Event time: 11.06.2015 13:44:00
      Event time (UTC): 11.06.2015 11:44:00
      Event ID: 9e2c3121221e4063b7b8758500d7bb07
      Event sequence: 5
      Event occurrence: 1
      Event detail code: 0

      Application information:
      Application domain: /LM/W3SVC/2/ROOT/ecp-1-130784966371187422
      Trust level: Full
      Application Virtual Path: /ecp
      Application Path: C:Program FilesMicrosoftExchange ServerV15ClientAccessecp
      Machine name: E15MBX01

      Process information:
      Process ID: 5200
      Process name: w3wp.exe
      Account name: NT AUTHORITYSYSTEM

      Exception information:
      Exception type: ConfigurationErrorsException
      Exception message: Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.
      at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
      at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
      at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
      at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
      at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
      at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
      at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

      Could not load file or assembly ‘Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.
      at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type)
      at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName)
      at System.Type.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase)
      at System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase)
      at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)

      Request information:
      Request URL: https://localhost:444/ecp/exhealth.check
      Request path: /ecp/exhealth.check
      User host address: 127.0.0.1
      User:
      Is authenticated: False
      Authentication Type:
      Thread account name: NT AUTHORITYSYSTEM

      Thread information:
      Thread ID: 11
      Thread account name: NT AUTHORITYSYSTEM
      Is impersonating: False
      Stack trace: at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase)
      at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement)
      at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList)
      at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext)
      at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
      at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
      at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
      at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

        1. Rolf A. Vaglid

          Nope, two standalone MBX-servers.

      1. Jeromy Baldridge

        I saw that error installing my first Exchange 2013 box into my Org. according to a couple blog posts I finally found it is because a second copy of the sharedwebconfig.config file doesn’t get generated by the installer in the correct location. This solved my problem, hope it helps you.

        Copy the sharedwebconfig.config file from:
        E:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxy
        To:
        E:Program FilesMicrosoftExchange ServerV15ClientAccess

        1. Matt Jamison

          Fix for me was in IIS, Application Settings, BinSearchFolders. It had: %ExchangeInstallDir%bin;%ExchangeInstallDir%binCmdletExtensionAgents;%ExchangeInstallDir%ClientAccessOwabin

          So I changed it to our install directory, yours is probably different: D:ExchangeServerV15bin;D:ExchangeServerV15binCmdletExtensionAgents;D:ExchangeServerV15ClientAccessOwabin

          Found the fix here:

          https://social.technet.microsoft.com/Forums/office/en-US/7c36836c-0223-4bfe-8a36-24db8a021507/error-in-ecp-and-owa-after-update?forum=exchangesvrdeploy

Leave a Reply