Blog Post

Exchange Team Blog
2 MIN READ

MS11-025 required on Exchange Server versions released before October 2018

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Oct 09, 2018

In the security advisories released on 10/09/2018, CVE-2010-3190 was updated to apply to Exchange Server. This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018. The Exchange team is aware that the installation program for Exchange Server is applying an unpatched version of a Visual Studio released binary which was updated in the package to address CVE-2010-3190. The Exchange team encourages customers to apply the KB2565063 update described in MS11-025 to all Exchange servers. This action is necessary to ensure servers are protected against the vulnerability outlined in the advisory.  Windows Update and Microsoft Update will not automatically apply this update to an Exchange Server.  The installation of a cumulative update released prior to October 2018 will overwrite the affected binary even if MS11-025 was previously applied to the server.  The advisory lists the MS11-025 update as important indicating there is low to medium risk associated with the vulnerability.  Microsoft is not aware of any instances where the exploit has been used against an Exchange Server. Applying this update does not require a reboot of the server or stopping any Exchange services. The Exchange team considers ensuring the security of your servers and data our top priority.  We have examined the Exchange installation process to identify any additional similar scenarios where dependent binaries are not being properly updated when Exchange is installed.  We have modified Exchange installation so that all cumulative updates released after September 2018 will no longer install dependent Visual Studio binaries.  We have added pre-requisite rules to ensure that the correct version of the Visual C++ and Microsoft Foundation Class (MFC) libraries are installed via their native redistribution package before Exchange installation will proceed.  The steps taken will ensure that the correct versions of system and shared binaries are installed and that Windows Update and Microsoft Update are able to detect the need for any future updates to these dependent binaries. The Exchange Team

Updated Jul 01, 2019
Version 2.0
announcements
security
tips 'n tricks

70 Comments

  • Deleted's avatar
    Deleted
    Oct 31, 2018
    We are not getting October month updates for our exchange 2010; instead we are getting preview updates.. we are looking for KB4459922, KB4462923. We tried installing KB3177467 to get this month updates but still not appearing.. Can some one please advice.
  • Deleted's avatar
    Deleted
    Oct 16, 2018
    Were deployed with Exchange 2013/CU21/Windows Server 2012 R2 X64. The system requirements for this patch do not list our server OS but based on some of the comments we should deploy this patch - specifically 'Exchange2013-KB4340731-X64-en.msp' anyways?

    Thanks

    • Deleted's avatar
      Deleted
      Oct 16, 2018
      Yes Todd, and the KB2565063 update. The download link for Security Update For Exchange Server 2013 CU21 (KB4340731) does list your OS. the x64 annotation isn't there if that's confusing you - because you can't install on x86 anyway.
      • Deleted's avatar
        Deleted
        Oct 16, 2018
        Is their a specific order that 'vcredist_x64.exe' and 'Exchange2013-KB4340731-X64-en.msp' should be installed?

        The confusing part is the system requirements section for KB2565063 update doesn't list the OS we are deployed on:

        Supported Operating System

        Windows 7, Windows Server 2003 R2 (32-Bit x86), Windows Server 2003 R2 x64 editions, Windows Server 2008 R2, Windows Vista Service Pack 2, Windows XP

  • Deleted's avatar
    Deleted
    Oct 16, 2018
    Hi Brent/Greg, Quick question;

    I know that, as per this blog, we must install KB2565063 (CVE-2010-3190) C++ patch now.

    But will Exchange 2016 CU11 contain security update KB4459266 (CVE-2018-8265)?

    Kind regards

    • Deleted's avatar
      Deleted
      Oct 16, 2018
      Yes it will Stephen.
  • Deleted's avatar
    Deleted
    Oct 15, 2018
    Hello, since you didn't mention this issue with Exchange Server 2010, I assume that Exchange 2010 is safe. Could you please help me with this question? Tks
    • Deleted's avatar
      Deleted
      Oct 15, 2018
      "This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018."

      So yes, it applies to Exchange Server 2010 as well.

  • Deleted's avatar
    Deleted
    Oct 15, 2018
    If the Exchange team really considers ensuring the security their top priority, please revise this incompetent blog post to sort out cleanly all the customer confusion demonstrated in the messy comments.
  • Deleted's avatar
    Deleted
    Oct 13, 2018
    Why is it that for this blog post and others like the Exchange 2019 preview announcement that people are forced to ask obvious questions that should have been answered in the blog post itself?

    You can't be bothered to take a few minutes to come up with a chart that will answer concerns about different OS and Exchange combinations and KB2565063?

    You cant be bothered to offer basic information that people need to know about the Exchange 2019 preview in that blog post - we have to post basic questions there to get the information?

    You cant be bothered to update the supportability matrix with things like information about support for the presence of Windows 2019 domain controllers ? https://docs.microsoft.com/en-us/exchange/exchange-server-supportability-matrix-exchange-2013-help

    You cant be bothered to post something about the next Cumulative Updates in September when people are expecting it? Someone has to ask an obvious question about it in mid-October to get any information?

  • Deleted's avatar
    Deleted
    Oct 12, 2018
    Hello,

    I have a few questions:

    1.) For two Exchange 2016 CU2 servers (DAG), what would be the proper upgrade path to avoid this vulnerability?

    2.) Upgrade to CU9 or CU10? Or upgrade to CU8 and install this patch and wait for CU11 to be released?

    • Deleted's avatar
      Deleted
      Oct 12, 2018
      @CGL, I would recommend you apply the MS11-025 update, then deploy Cumulative Update 11 when it is released.
      • Deleted's avatar
        Deleted
        Oct 12, 2018
        Hi Brent, thanks for getting back to me. Do you recommend to update from CU2 to CU8 or to CU10? How long until CU11 comes out? Do you have some steps that you might know on how to properly upgrade from Exchange 2016 CU2 to the latest CU release?
  • Deleted's avatar
    Deleted
    Oct 12, 2018
    When trying to install KB4459266 on one of our three Exchange 2016 CU10 servers, we receive error 0x800705b4.

    This leaves the Server in an unrecoverable state with all Exchange and some dependent services disabled.

    We tried everything we could find including resetting the windows Update Services and it’s Cache, disabling all anti Virus to no success. Same result when trying to install the update manually with the msp file. We ended up restoring a backup for this server. It came back and was syncing up with the DAG.

    But as soon as we try to install the update, it fails again. The other two server didn’t have any problem with that.

    Any ideas?

    • Deleted's avatar
      Deleted
      Oct 12, 2018
      Marc, I'd suggest opening a case with support, that's the best way to get into it and figure out what's going on.
  • Deleted's avatar
    Deleted
    Oct 11, 2018
    Server 2012 Ex2013 CAS – No restart

    Server 2012 Ex2013 Mailbox Server

    • Deleted's avatar
      Deleted
      Oct 11, 2018
      Win 2012R2 + Exch 2013 all 3 servers required a reboot

      One of them had JUST been rebooted, so it is unlikely a previous pending reboot triggered it

      Anyway...

      • Deleted's avatar
        Deleted
        Oct 11, 2018
        Then maybe something other than Exchange is loading and using the binaries.
  • Deleted's avatar
    Deleted
    Oct 11, 2018
    Any hint if the x86 and/or x64 version of KB2565063 is needed?

    e.g. before the last CU installation, I pre-installed VC++2013 (x64) runtimes, but it seems that the update process was also pulling/installing the x86 version...

    Thx in advance

    • Deleted's avatar
      Deleted
      Oct 11, 2018
      Can you confirm if we need to install the x86 or x64 version, or both?

      Exchange 2013 CU21, Server 2012R2

      • Deleted's avatar
        Deleted
        Oct 11, 2018
        @Chris, only the x64 version is required.
    • Deleted's avatar
      Deleted
      Oct 11, 2018
      Hello,

      We have exchange 2010 sp3 Cu18, when I`m try to Install KB2565063 update I get a Message:

      repair Microsoft Visual C++2010 X64 Or Remove Microsoft Visual C++2010 X64

      please advise me.

      Ronen

      • Deleted's avatar
        Deleted
        Oct 11, 2018
        This has been answered already above Ronen. A repair does the job you are looking for.