Microsoft pulls critical Patch Tuesday fix for Exchange 2013

Filed Under: Featured, Microsoft, Vulnerability

shutterstock_QC170Microsoft has decided to rescind an update released yesterday for Exchange Server 2013. The update fixed critical vulnerabilities in the mail server that I encouraged Naked Security readers to install as soon as possible.

It is important to note that administrators of Exchange 2007 and 2010 should still apply the fix. There is no known negative impact from installing it on these versions.

The news isn't all bad, but could cause some extra work to implement workarounds if administrators have already deployed the update.

What went wrong? The short answer is the update broke the message index service preventing Exchange email users from searching their mailboxes.

The component that was intended to be fixed was licensed from Oracle and is called Outside In. This technology helps Outlook Web Access users view content like PDF files inside their view pane without having installed a proprietary reader.

Administrators who wish to hold off on applying the fix should consider disabling this attachment viewing feature as the vulnerabilities have been publicly disclosed.

Microsoft explains how to do this in this KB article under Vulnerability Information -> Oracle Outside In Contains Multiple Exploitable Vulnerabilities -> Workarounds.

If you are a Exchange 2013 administrator and have already deployed this update, don't remove it. Microsoft has published a remediation technique you can apply with just a couple of simple registry keys.

Fortunately this is a rare occurrence. On critical systems is it important to test security updates, but not to dally too long and remain at risk.

Thankfully the problem with this patch was not catastrophic and caught in a reasonably short window of time.

Microsoft has also published a note on MS13-063 which has been reported to interfere with some internet enabled games. This appears to be low impact and not of concern to corporate IT professionals (except on weekends).

Quality Control sign courtesy of Shutterstock.

, , ,

You might like

One Response to Microsoft pulls critical Patch Tuesday fix for Exchange 2013

  1. Joe D. · 403 days ago

    More Oracle unbreakable security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.