As you may have noticed, Microsoft just withdrew one of its Patch Tuesday updates for December 2014.
Actually, it’s slightly more complicated than that.
The MS14-075 fix closed a number of security holes in Exchange, including a way to steal someone’s login token and send email in their name.
Even though this bugfix was rated only Important, we urged you to act as though it were Critical, on the grounds that spoofed emails (bogus messages that seem to come from someone you trust) are a social engineer’s best friend.
If I tried to talk you into running a special command for me, for example by giving the excuse that I needed “to fix your message delivery backlog” or to “revive your account after it was inadvertently locked”, you’d almost certainly smell a rat.
But if I could make the same excuse in an email that looked as though it came from a senior member of your IT team, I’d have a much better chance of convincing you.
In other words, patching promptly against CVE-2014-6319 (the vulnerability that lets a crook spoof emails) was a wise idea.
There were four separate patches for various versions of Exchange, three of which have caused no trouble and are still available:
Sadly, if you were running Exchange 2010 (more precisely, Microsoft Exchange Server 2010 Service Pack 3, as shown above), that patch might have caused new problems of its own:
An issue has been identified in the Exchange Server 2010 SP3 Update Rollup 8. The update has been recalled and is no longer available on the download center pending a new RU8 release.
The issue impacts the ability of Outlook to connect to Exchange.
Outlook and Exchange go together like the proverbial horse and carriage, so that’s a rather critical problem, especially when the vulnerability it fixed was only Important.
Ironically, the MS14-075 patch was one of two that were pulled just before the November 2014 Patch Tuesday went live.
The first of the pulled patches, MS14-068, was issued about a week later, in a so-called “out of band” update, meaning that Redmond didn’t wait until the next official Patch Tuesday came round.
But the admittedly less critical MS14-075 update had to wait until the December 2014 Patch Tuesday, only to hit the abovementioned snag and be withdrawn.
What to do?
The good news, according to Microsoft’s Exchange Blog, is that if you roll back the dodgy update, Outlook will immediately start working again.
That bad news is that, no matter how many networks or users were not affected by this bug-fix bug, many system administrators are likely to be much more cautious next month, delaying and deferring patches “just in case.”
We’re going to take a conciliatory approach, and assume that the conditions that cause the problem must be at least a little bit unusual, or else Microsoft’s own testing would have shown them up.
So we’ll also assume that a minority of Exchange 2010 users were affected.
Even so, we’re expecting an abundance of caution from Exchange administrators next time there’s an update.
Are you an Exchange 2010 administrator?
If so, did you encounter this problem? Let us know how you got along in the comments…