Pierluigi Paganini
December 13, 2014
Microsoft has announced the recall of a security patch released to fix a problem in its Exchange Server. It is the second straight month that Microsoft has issued a critical Out-of-Band patch for one of its products, in November the company released a patch to fix a vulnerability in Kerberos that could allow elevation of privilege as explained in the Microsoft Security Bulletin MS14-068.
The update provided by Microsoft to fix a flaw its Exchange Server was published on Tuesday was originally slated for release in the November monthly Patch Tuesday release.
“Today, as part of Update Tuesday, we released seven security updates – three rated Critical and four rated Important in severity, to address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange.” states the December 2014 Updates page.
The Exchange fix was affected by some issued, it had to be pushed back to the December release, but the company hasn’t provided further details on the case.
Microsoft issued a patch news for a missing fix for an Exchange bug that was promised in its November advanced notification. The December advance notification reports an elevation privilege bug in Exchange, which is included among seven scheduled bulletins to be pushed out next Tuesday. The Exchange patch (MS14-075) applies to Microsoft Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 6.
Microsoft rated the Exchange patch as important, explaining that the likelihood of remote code execution and imminent exploit is high.
“Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website, and then convince them to click the specially crafted URL.”
As explained by Microsoft, the update has been recalled and is no longer available :
“The update has been recalled and is no longer available on the download center pending a new RU8 release,” Microsoft wrote on The Exchange Team Blog. “Customers should not proceed with deployments of this update until the new RU8 version is made available. Customers who have already started deployment of RU8 should rollback this update.”
Microsoft explained that the issue in the update affects Outlook’s ability to connect to Exchange. They are promising to release a revised version of the patch as soon as they can isolate the problem and correct it. Microsoft says it will post any further announcements on its
Microsoft explained that the issue in the update affects Outlook’s ability to connect to Exchange. The last updated on the Exchange Blog announced that Exchange Server 2010 SP3 Update Rollup 8 has been re-released to the Microsoft download center fixing the regression issue discovered in the first release.
“The update RU8 package corrects the issue which impacted users connecting to Exchange from Outlook. The issue was insulated to the MAPI RPC layer and was able to be isolated to quickly deliver the updated RU8 package. The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package. The updates for Exchange Server 2013 and 2007 were not impacted by this regression and have not been updated.”
(Security Affairs – Microsoft, Exchange Server)
