Microsoft Security Bulletin MS10-024 released
Published Apr 13 2010 05:16 PM 3,448 Views

We have released security updates for the following versions of Exchange:

  • Security Update for Exchange 2000 Server (KB976703)
  • Security Update for Exchange Server 2003 Service Pack 2 (KB976702)
  • Update Rollup 10 for Exchange Server 2007 Service Pack 1 (KB981407)
  • Update Rollup 4 for Exchange Server 2007 Service Pack 2 (KB981383)
  • Update Rollup 3 for Exchange Server 2010 (KB981401)

Security related changes for Exchange 2007 and Exchange 2010 ship as Update rollups following the cumulative servicing model. However we have tried to keep the number of non-security related changes in these rollups down to a minimum.

More information can be found in the security bulletin at Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832...

- The Exchange Team

29 Comments
Not applicable
So is this basically only relevant to the Hub and Edge Transport roles?
Not applicable
We found that the windows update version of update rollup 4 was offered to our CCR clusters - traditionally this is not the case - update rollups need installing seperate from windows update to CCR nodes.

Is this a policy change with this update or is there something not right with our setup? I guess there is a first time for everything!

Warren
Not applicable
Have I install earlier rollups before install this one?
Not applicable
What about Forefront in the process of updating the servers?
Not applicable
The Bullitin says the following for Ex2007 and 2010:

I am running Exchange 2007 or Exchange 2010. Why am I being offered an update if they are not affected by the vulnerabilities described in this bulletin?

The updates for Microsoft Exchange 2007 and Microsoft Exchange 2010 only include the defense-in-depth change that adds additional source port entropy to DNS transactions initiated by the SMTP service.

What the heck does this mean?
Not applicable
Can you explain how this work for Exchange 2003, does one need the Exchange 2003 patch (976702) AND the Windows SMTP patch (976323) since Ex2003 uses Windows 2003's SMTP?
Not applicable
There is a bug in the RU for Exchange 2007 (since SP2 RU1). After the installation customers with german language will not be able to open the toolbox because of a translation of some regkeys that should not be translated.

Here you can find a REG-file that will fix this little bug: http://tinyurl.com/y6lpa5b (in german only).
Not applicable
From FAQ:
Do I need to apply updates for both Windows and Exchange?
For systems that have Microsoft Exchange installed, both the Exchange and Windows update should be applied. If you have the SMTP service enabled but do not run the Exchange service, only the Windows update need be applied.
Not applicable
If you are running Exchange 2003 or Exchange 2000, you need both the Exchange and Windows patches since they are both rated as important.

If you are running SMTP service on a Windows only system, you need the Windows update since it is rated as important as well.

If you are running Exchange 2007 or Exchange 2010, then applying the update is recommended even though it is not rated since it includes a defense-in-depth change. If you are applying the update rollup, you should apply it to all roles.
Not applicable
WARNING: We have had this update reset all our SMTP settings (including relay settings) on two different servers.  Both were Windows Server 2008.
Not applicable
We applied rollup3 to all of our exchange 2010 servers, on our CAS server it crashes our OWA site!  We have to uninstall the rollup to get it working again.  Still looking for a fix!!!
Not applicable
Dan - if you are seeing issues, please head over to our Exchange Updates Forum and post there; blog post comments are a pretty poor vehicle for issue troubleshooting.

http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/threads
Not applicable
seems like this rollup will cause issues like rollup 9 did
Not applicable
Yes, this update can reset SMTP settings. one of my servers has been the problem and now I've read this: http://kbase.gfi.com/showarticle.asp?id=KBID003836
Not applicable
For folks with Cluster installs using Exchange 2007 SP2 or Exchange 2010, the rollup will be offered as a silent install via Microsoft Update and WSUS. Having your machine configured for Auto Update may have an impact as the Rollup will be installed on the node that is offered regardless of state of that node. Services will be restarted for that node and if Active - failover will happen.
Not applicable
RobertW - We are aware of the issue and hope to address it in a future rollup.
Not applicable
Not only did this update wipe out SMTP relay for me, it appears to be causing timeouts. Hotmail.com, works fine, gmail.com (as well as postini), chase.com, and other mail servers drop the connection after it gets to code 354, dropping with with a 451 or 421 code.


Not applicable
Hello

I would like to confirm the problems reported by Richard Vetter above.
I use Exchange2003 SP2 and after this install I started to get problems with sending emails. A lot of my users get
Subject: Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

There is definitely a problem with this. For instance for me hotmail.com does not work fine and I get this and no other changes happened on my system aside from this update. And I used to be able to email hotmail just fine a day before the update.

There was a SMTP communication problem with the recipient's email
server.  Please contact your system administrator.
   <mail.eved.com #5.5.0 smtp;550 OU-001 Mail rejected by Windows Live
Hotmail for policy reasons. Reasons for rejection may be related to
content with spam-like characteristics or IP/domain reputation problems.
If you are not an email/network admin please contact your
E-mail/Internet Service Provider for help. Email/network admins, please
visit http://postmaster.live.com for email delivery information and
support>
Not applicable
Arturo & Richard - We can confirm that there is an issue with the Windows 2008 and Windows 2008 R2 package where the existing configuration including pre-existing relay settings may be lost.  To the best of our knowledge this does not affect any version of Exchange server.  At this time, we are working to list the problem in the Known Issues section of the security bulletin and we are planning to release an update.

For anyone whose issues are not already discussed (including Remus), would you be willing to open a support ticket with Microsoft?  Please feel free to reach out to me via email for proper follow up.  First.Last@_
Not applicable
Guys a small update on my issue. It was caused by our mail server being included on a spamhouse antispam list. This was blocking the mails on other receiving mail servers.
It just happened in the same time with these updates that's why was so hard to pinpoint.

thanks
Not applicable
Does SP2 rollout 4 include the DoS patch?
Not applicable
Yes, SP2 RU4 contains the defense in depth code change for this issue.
Not applicable
Do I need to install previous roll-ups before installing these??
Not applicable
I have Exchange 2003 on SBS 2003 R2, I need upgrade this exchange to improve mail services.


_______________________________________
<a href="http://www.solocigars.com" target="_blank" title="Solo Cigars">Cuban Cigars</a> | <a href="http://www.royalhabanos.com" target="_blank" title="Royal Habanos">Cuban Cigar </a>
Not applicable
We installed Update Rollup 4 for Exchange Server 2007 Service Pack 2 this weekend...

For some reason, our BIS connected Blackberrys no longer can send/recieve e-mail. (Standard Internet connected Blackberrys)   The BES Blackberrys (Enterprise connected) work just fine.

Blackberry Support says to call AT&T and T-Mobile...
Yeah right.

John
Not applicable
WARNING
Exchange 2003 KB976702 effectively breaks Activesync push to IPhones.

After install Iphones seem to hold the push connection open with lots of cmd=Ping commands.  This causes the battery to drain at a phenomenal rate.

Examining my Activesync logs before showed no use of cmd=Ping before KB976702, and afterwards it appears every couple of minutes.

Only work around is to drop Iphones off push and back to fetch :(

SERIOUSLY NOT IMPRESSED.

Not applicable
@David Aldridge:

David, we are not aware of this problem from what I am finding. Please open up a support case on this! We'd like to see a repro so we can figure it out.
Not applicable
We have installed Rollup 4 for exchange 2007 SP2 last week and we are facing lots of issue after installing the same like our Blackberry BIS users is not able to send and receive their email, our mail server being included on a spam house antispam list, this update resetted the SMTP setting and I got the below error also when our pop3 users trying to send any mail to external domain from outside our network.
“Sending' reported error (0x800CCC62): 'Your outgoing (SMTP) e-mail server has reported an internal error. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).”

Not applicable
@ David
Looks like the same thing happened to us - updated the server last night and all the iphones, ipads and Entourage clients stopped working.
configured my iphone not to push and went into the account turned off mail and turned it back on and it seemed to work.  
We started getting a bunch of server Acvtivesync warnings (event 3007) since the update.
Version history
Last update:
‎Jul 01 2019 03:51 PM
Updated by: