Blog Post

Exchange Team Blog
1 MIN READ

Microsoft Security Bulletin MS10-024 released

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 13, 2010

We have released security updates for the following versions of Exchange:

  • Security Update for Exchange 2000 Server (KB976703)
  • Security Update for Exchange Server 2003 Service Pack 2 (KB976702)
  • Update Rollup 10 for Exchange Server 2007 Service Pack 1 (KB981407)
  • Update Rollup 4 for Exchange Server 2007 Service Pack 2 (KB981383)
  • Update Rollup 3 for Exchange Server 2010 (KB981401)

Security related changes for Exchange 2007 and Exchange 2010 ship as Update rollups following the cumulative servicing model. However we have tried to keep the number of non-security related changes in these rollups down to a minimum.

More information can be found in the security bulletin at Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)

- The Exchange Team

Updated Jul 01, 2019
Version 2.0
announcements
Exchange 2007
Exchange 2010
security
setup

29 Comments

Show More
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    If you are running Exchange 2003 or Exchange 2000, you need both the Exchange and Windows patches since they are both rated as important.

    If you are running SMTP service on a Windows only system, you need the Windows update since it is rated as important as well.

    If you are running Exchange 2007 or Exchange 2010, then applying the update is recommended even though it is not rated since it includes a defense-in-depth change. If you are applying the update rollup, you should apply it to all roles.
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    From FAQ:
    Do I need to apply updates for both Windows and Exchange?
    For systems that have Microsoft Exchange installed, both the Exchange and Windows update should be applied. If you have the SMTP service enabled but do not run the Exchange service, only the Windows update need be applied.
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    There is a bug in the RU for Exchange 2007 (since SP2 RU1). After the installation customers with german language will not be able to open the toolbox because of a translation of some regkeys that should not be translated.

    Here you can find a REG-file that will fix this little bug: http://tinyurl.com/y6lpa5b (in german only).
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    Can you explain how this work for Exchange 2003, does one need the Exchange 2003 patch (976702) AND the Windows SMTP patch (976323) since Ex2003 uses Windows 2003's SMTP?
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    The Bullitin says the following for Ex2007 and 2010:

    I am running Exchange 2007 or Exchange 2010. Why am I being offered an update if they are not affected by the vulnerabilities described in this bulletin?

    The updates for Microsoft Exchange 2007 and Microsoft Exchange 2010 only include the defense-in-depth change that adds additional source port entropy to DNS transactions initiated by the SMTP service.

    What the heck does this mean?
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    What about Forefront in the process of updating the servers?
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    Have I install earlier rollups before install this one?
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    We found that the windows update version of update rollup 4 was offered to our CCR clusters - traditionally this is not the case - update rollups need installing seperate from windows update to CCR nodes.

    Is this a policy change with this update or is there something not right with our setup? I guess there is a first time for everything!

    Warren
  • Anonymous's avatar
    Anonymous
    Apr 14, 2010
    So is this basically only relevant to the Hub and Edge Transport roles?