Sophos Cloud Optix
As you may have noticed, Microsoft just withdrew one of its Patch Tuesday updates for December 2014.
Actually, it’s slightly more complicated than that.
The MS14-075 fix closed a number of security holes in Exchange, including a way to steal someone’s login token and send email in their name.
Even though this bugfix was rated only Important, we urged you to act as though it were Critical, on the grounds that spoofed emails (bogus messages that seem to come from someone you trust) are a social engineer’s best friend.
If I tried to talk you into running a special command for me, for example by giving the excuse that I needed “to fix your message delivery backlog” or to “revive your account after it was inadvertently locked”, you’d almost certainly smell a rat.
But if I could make the same excuse in an email that looked as though it came from a senior member of your IT team, I’d have a much better chance of convincing you.
In other words, patching promptly against CVE-2014-6319 (the vulnerability that lets a crook spoof emails) was a wise idea.
There were four separate patches for various versions of Exchange, three of which have caused no trouble and are still available:
Sadly, if you were running Exchange 2010 (more precisely, Microsoft Exchange Server 2010 Service Pack 3, as shown above), that patch might have caused new problems of its own:
An issue has been identified in the Exchange Server 2010 SP3 Update Rollup 8. The update has been recalled and is no longer available on the download center pending a new RU8 release.
...
The issue impacts the ability of Outlook to connect to Exchange.
Outlook and Exchange go together like the proverbial horse and carriage, so that’s a rather critical problem, especially when the vulnerability it fixed was only Important.
Ironically, the MS14-075 patch was one of two that were pulled just before the November 2014 Patch Tuesday went live.
The first of the pulled patches, MS14-068, was issued about a week later, in a so-called “out of band” update, meaning that Redmond didn’t wait until the next official Patch Tuesday came round.
But the admittedly less critical MS14-075 update had to wait until the December 2014 Patch Tuesday, only to hit the abovementioned snag and be withdrawn.
What to do?
The good news, according to Microsoft’s Exchange Blog, is that if you roll back the dodgy update, Outlook will immediately start working again.
That bad news is that, no matter how many networks or users were not affected by this bug-fix bug, many system administrators are likely to be much more cautious next month, delaying and deferring patches “just in case.”
We’re going to take a conciliatory approach, and assume that the conditions that cause the problem must be at least a little bit unusual, or else Microsoft’s own testing would have shown them up.
So we’ll also assume that a minority of Exchange 2010 users were affected.
Even so, we’re expecting an abundance of caution from Exchange administrators next time there’s an update.
Are you an Exchange 2010 administrator?
If so, did you encounter this problem? Let us know how you got along in the comments…
I have been struggling through this problem all week – with little to no information found anywhere from Microsoft, this problem seems to mainly affect Outlook 2013 more noticeably than any other version of Outlook so far.
Shouldn’t we also be expecting Microsoft to test fundamental activity between two of their own products???
Upon applying that update to our Exchange Server SP3 server, we were unable to open Outlook. However, with an additional reboot of the Exchange server and waiting for all processes to complete, we were again able to open our Outlook 2013 clients. At this point, I do plan to keep the update in place. But, will be mindful if in the future in case our Outlook clients can no longer connect.
This was apparently fixed 12/12. See http://blogs.technet.com/b/exchange/archive/2014/12/09/exchange-releases-december-2014.aspx
Would it be an “out of band” update or an “out of cycle” update?
The term “out of band” is commonly used for an out-of-cycle update.
We have bemoaned this mild misuse on Naked Security before (though I can’t find that article, I distinctly remember writing it :-), and we have written about security issues that better follow our understanding of “out of band,” or at least of its opposite, “in-band”, e.g. here:
https://nakedsecurity.sophos.com/2013/03/07/anatomy-of-a-bug-the-five-minute-insecurity-window-in-the-sudo-command/
…where sudo was using an “in band” signal to denote that no password was required, and here:
https://nakedsecurity.sophos.com/2012/09/26/are-android-phones-facing-a-remote-wipe-hacking-pandemic/
…about mobile phones using special phone numbers that trigger a function before you press “dial.”
In this case, we mean “didn’t come out on Patch Tuesday” 🙂
But there was another ‘update’ withdrawn, see http://support.microsoft.com/kb/3024777. That affects Windows 7 and Windows Server 2008 and not Exchange Server. But I see no mention of that here!
So, what is this withdrawl all about? Can we believe M$ any longer? Wjhen can we expect a working and properly tested update to replace this and the one you mentioned?
Per http://support.microsoft.com/kb/2986475 this patch was reissued on Dec. 12th to address problems with the Dec. 9th version. I have not tried it yet myself.
yes we encountered this the day after installing the patch. when we saw the bulletin from microsoft we uninstalled the rollup straight away
the problem we were having was that it was running out of ram, usually it uses less than 50% of the 18gb installed ram (it’s a vm), it was posting messages in the event log that ir was running low on resource
i’ve since installed the re-released patch/rollup on monday night
while it seems to be running ok, it was using 94-96% of the ram again, but no users are having problems as far as i know
i doubled the ram available to this machine last night, thinking that would be overkill, but vmware reports it is using 32gb, and task manager says 28gb ram.