It’s a busy day in the land of Exchange today, with updates also released for Exchange 2007, Exchange 2010 SP3, and Exchange 2013.
Exchange 2010 SP2 RU7 is now available as update 2874216.
Exchange 2010 SP2 RU7 is also released as part of Patch Tuesday to resolve the security issues that are addressed in Exchange 2007 SP3 RU11. For reference they are, CVE-2013-2393 and CVE-2013-3776 as discussed in the Oracle Critical Patch Update Advisory - July 2013. Microsoft has classified both of them as critical for Exchange 2010.
The vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited this vulnerability could run code on the affected Exchange Server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.
Exchange 2010 SP2 RU7 contains the fixes for the above security issues.
This is one of the smaller RUs produced, but that still means that testing and validation must occur as with any other update to the messaging system.
Cheers,
Rhoderick