Exchange 2013 Security Update Available For MS13-061

Update 14-8-2013: The security update for Exchange 2013 has been temporarily removed due to an issue with the search infrastructure.


If you have installed it please refer to article “Update 2874216 breaks the content index in Exchange Server 2013”

Update 14-8-2013: Please see an update on the Exchange team blog.

Update 27-8-2013: Updated release of the security update for Exchange 2013 CU1 and CU2 is now available.


The first security update for Exchange 2013 was release to the download centre earlier today to address the security issues that are described in Microsoft Security Bulletin MS013-061Exchange 2007 SP3, Exchange 2010 SP2 and Exchange 2010 SP3 also received updates today to resolve the security issues described in the bulletin.  While all supported Exchange 2007 and 2010 builds were updated to resolve CVE-2013-2393 and CVE-2013-3776, there is an additional security vulnerability in Exchange 2013.  This is covered in CVE-2013-3781 and discussed in the Oracle Critical Patch Update Advisory - July 2013.    Microsoft has classified all three of these issues as critical for Exchange 2013.

Exchange 2013 Security Vulnerability Assessment Rating


Please note that there are separate updates available for Exchange 2013 RTM CU1 and CU2.  They have the same file names, so make sure to save to properly named folders.

Security Update for Exchange Server 2013 RTM CU1

Security Update for Exchange Server 2013 RTM CU2


This is the first Exchange 2013 update that resolves only security issues.  As previously mentioned with the new servicing model security updates will be release separately from the other Cumulative Updates servicing updates.

In order to install this security update, you must have installed the updated build of Exchange 2013 RTM CU2 which is described here.  This is the 712.24 build of Exchange.

Please test before installing this update into production!  This is not a surprise, as every update to the messaging infrastructure should be carefully tested and reviewed prior to installing in production.




Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *