Exchange Security Update Available For MS13-105

To address the security issues present in bulletin MS13-105 all supported versions of Exchange 2007, 2010 and 2013 are receiving updates to allow customers to address the security vulnerabilities.   Depending upon the version of Exchange the delivery method will vary.  Exchange 2007 and 2010 provides updates and security fixes via Rollup Updates (RUs).  Exchange 2013 has a different servicing strategy where product updates are delivered by Cumulative Updates (CUs) and security fixes are provided in separate security releases.  In other words you do not have to deploy a CU just resolve a security issue.  This was an often requested feature as customers want to quickly patch for security issues, but evaluating other fixes that may be present in a RU and how that could affect the environment extended the patching time.

 Update 17-12-2013: Added link to issue with Exchange 2010 SP2 RU8 that my happen with certain languages, with message "Error Reading From File".

Update:  6-2-2014 Folder views are not updated when you arrange by categories in Outlook after you apply Exchange Server 2010 Service Pack 3 Update Rollup 3 or Update Rollup 4

Links To Updates

Exchange 2007 SP3 RU12

Exchange 2010 SP2 RU8

Exchange 2010 SP3 RU4

Exchange 2013 CU2

Exchange 2013 CU3

Note that Exchange 2003 is not listed in this security bulletin.

Exchange 2013

Since Exchange 2013 allows security fixes to be released separately from the regular product CUs, implementing these security updates is easier compared to Exchange 2007/2010.   Update MS13-105  supersedes MS13-061.  There is no need to uninstall the previous security fix prior to installing MS13-015.  Note that there is no provided fix for Exchange 2013 RTM or Exchange 2013 RTM CU1.  Why you ask?  The answer is because those 2013 builds do not receive security updates or other fixes.

Please also review the posts on deploying Exchange 2013 RTM CU2 and CU3.

Exchange 2007 & Exchange 2010

With Exchange 2007 and 2010 security updates and product updates are both delivered via RUs.  Exchange 2010 SP3 RU3 was recently released, and Exchange 2010 SP3 RU4 contains only the additional fixes for the security issues.   For example if you are currently running Exchange 2010 SP3 RU1, then you will need to review the fixes present in Exchange 2010 SP3 RU2 and RU3.  A similar pattern is also present with Exchange 2010 SP2 and Exchange 2007 SP3.

Exchange 2010 SP2 RU8 has an installation issue with certain languages. You may get the "Error reading from file" message.  Please see the link for details and resolution.

Once you have reviewed the previous posts and then tested the updated in a lab then it is time to start the production rollout!



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *