Microsoft has decided to rescind an update released yesterday for Exchange Server 2013. The update fixed critical vulnerabilities in the mail server that I encouraged Naked Security readers to install as soon as possible.
It is important to note that administrators of Exchange 2007 and 2010 should still apply the fix. There is no known negative impact from installing it on these versions.
The news isn’t all bad, but could cause some extra work to implement workarounds if administrators have already deployed the update.
What went wrong? The short answer is the update broke the message index service preventing Exchange email users from searching their mailboxes.
The component that was intended to be fixed was licensed from Oracle and is called Outside In. This technology helps Outlook Web Access users view content like PDF files inside their view pane without having installed a proprietary reader.
Administrators who wish to hold off on applying the fix should consider disabling this attachment viewing feature as the vulnerabilities have been publicly disclosed.
Microsoft explains how to do this in this KB article under Vulnerability Information -> Oracle Outside In Contains Multiple Exploitable Vulnerabilities -> Workarounds.
If you are a Exchange 2013 administrator and have already deployed this update, don’t remove it. Microsoft has published a remediation technique you can apply with just a couple of simple registry keys.
Fortunately this is a rare occurrence. On critical systems is it important to test security updates, but not to dally too long and remain at risk.
Thankfully the problem with this patch was not catastrophic and caught in a reasonably short window of time.
Microsoft has also published a note on MS13-063 which has been reported to interfere with some internet enabled games. This appears to be low impact and not of concern to corporate IT professionals (except on weekends).
Quality Control sign courtesy of Shutterstock.