MS11-025 required on Exchange Server versions released before October 2018
Published Oct 09 2018 10:02 AM 28K Views

In the security advisories released on 10/09/2018, CVE-2010-3190 was updated to apply to Exchange Server. This bulletin now applies to all versions and cumulative updates for Exchange Server released prior to October 2018. The Exchange team is aware that the installation program for Exchange Server is applying an unpatched version of a Visual Studio released binary which was updated in the package to address CVE-2010-3190. The Exchange team encourages customers to apply the KB2565063 update described in MS11-025 to all Exchange servers. This action is necessary to ensure servers are protected against the vulnerability outlined in the advisory.  Windows Update and Microsoft Update will not automatically apply this update to an Exchange Server.  The installation of a cumulative update released prior to October 2018 will overwrite the affected binary even if MS11-025 was previously applied to the server.  The advisory lists the MS11-025 update as important indicating there is low to medium risk associated with the vulnerability.  Microsoft is not aware of any instances where the exploit has been used against an Exchange Server. Applying this update does not require a reboot of the server or stopping any Exchange services. The Exchange team considers ensuring the security of your servers and data our top priority.  We have examined the Exchange installation process to identify any additional similar scenarios where dependent binaries are not being properly updated when Exchange is installed.  We have modified Exchange installation so that all cumulative updates released after September 2018 will no longer install dependent Visual Studio binaries.  We have added pre-requisite rules to ensure that the correct version of the Visual C++ and Microsoft Foundation Class (MFC) libraries are installed via their native redistribution package before Exchange installation will proceed.  The steps taken will ensure that the correct versions of system and shared binaries are installed and that Windows Update and Microsoft Update are able to detect the need for any future updates to these dependent binaries. The Exchange Team

70 Comments
Not applicable
Is this for real? The MS11-025 bulletin is from April 12, 2011 (Updated: March 13, 2012). Is it still valid as a vulnerability bug?
Not applicable
@Mikael,

This is real and the suggested patch is valid.

The Exchange team considers ensuring the security of your servers and data our top priority. As soon as we learned of this problem we began working on an Exchange fix, which will soon be available. In the meantime we encourage customers to apply the KB2565063 update to all Exchange servers. Microsoft is not aware of any instances where the exploit has been used against Exchange Server.

Not applicable
Thanks Brent,

How about the compatability for Exchange Server 2016 on Windows Server 2012 R2 or 2016?

Not applicable
Yes, it's compatible and should be applied.
Not applicable
Hi.

Where is new CU btw?

It should be here already in September.

Did this bug delayed it?

Not applicable
@Grega, We have finished work on the cumulative update expected in September and it will be arriving shortly.
Not applicable
It is require a reboot of the server!
Not applicable
Server 2012 R2 and Exchange 2013 --> No reboot needed

Server 2016 and Exchange 2016 --> Reboot needed

Not applicable
If you are seeing a reboot on Windows Server 2016, one of two things is happening: 1) This is a Windows deferred reboot from another installation triggering a reboot or 2) Something other than Exchange is loading and using the binaries. It is most likely this is a deferred reboot. Exchange 2016 does not use or load the impacted binaries during server operation and would not force a reboot.
Not applicable
I installed the patch on 4 Exchange 2016 servers on Windows Server 2016, no update required.
Not applicable
Installed on my failover server (Exchange 2013 on Server 2012 R2) and it requested a reboot at the end informing me that .NET based applications could fail to work until the reboot. I scheduled install to the main production server for off hours after this.
Not applicable
Same on an Exchange 2016 Test Server on Windows Server 2016. Asks for reboot or applications dependent on .NET Framework may stop working
Not applicable
update supports only win2008R2 and ealier?

what about Win2016? Ex 2016?

Not applicable
Good question as it is not mentioned in the support article.

I hope that MS can clarify if it supports Exchange 2016 on Windows Server 2012 R2 or 2016?

Not applicable
The download only lists those older OS's, but it does apply new newer OS's too - so yes, you should install it on Windows 2012 R2 and 2016 as well.
Not applicable
Is this also for EX2016 CU10 on SRV2016?

"Programs & Features" only shows me C++ 2005, 2012 and 2013 but not 2010...

THX!

Not applicable
yes it is.
Not applicable
Same here...

Our Server2016/Exchange2016 has only C++ 2012 and C++ 2013 installed.

So I guess CU11 (when it arrives) will pass the pre-requisite test and install (update) correctly?

Kind regards

Stephen

Not applicable
Correct, CU11 does not include the unpatched binary and so will not overwrite the patched file.
Not applicable
Hi.

Would "Security Update For Exchange Server 2013 CU21 (KB4459266)" be enough to cover this one as well (the KB article mentions CVE-2010-3190 as one out of three vulnerabilities being solved)? Or do we need to install the update from MS11-025 separately?

Not applicable
@Thomas, on Exchange 2013 you need to install the MS11-025 update.
Not applicable
We have installed KB2565063 (MS11-025 Update). KB4459266 in Windows Update still shows up. Will it disappear or should we hide it via "Hide Update"?
Not applicable
@Johannes, you need to install KB4459266 in addition to the fix outlined in MS11-025. You should not hide the update.
Not applicable
C++ 2010 was installed on server 2016 with exchange 2016 CU10. When downloading the update and starting the update I got the question to repair or remove the update. is repairing sufficient to fix the bug or to i have to remove and completely reinstall the update?

after a repair no reboot was required.

Not applicable
@Thomas, a repair operation will make the necessary changes without the need to uninstall or re-install the update. Repair indicates that the product was detected as previously installed outside of the Exchange installation.
Not applicable
I did a repair, still shows the vulnerability and file is not patched.
Not applicable
When executing the .exe we get a message on some of our Exchange 2013 Servers that it will do a full Installation instead of an Repair. Is the update also required if Microsoft Visual C++ 2010 Service Pack 1 is not installed?
Not applicable
@Johannes, yes this is required until Cumulative Update 11 or later is installed on the server.
Not applicable
We allready have CU21 installed. So there´s no need to install the KB2565063 update? This Information should be included in the blog article.
Not applicable
@Johannes, installing Cumulative Update 21 by itself will not resolve this. You must install the KB if it was not installed after the cumulative update was installed, as the cumulative update will overwrite the version previously installed.
Not applicable
@Johannes, the DLL specifics are outlined in the MS11-025 article. MFC100.dll will be updated, but is not the impacted DLL. The impacted DLL is ATL100.dll.
Not applicable
Regarding to another Article on the web, it´s all about the Version of "C:\Windows\System32\mfc100.dll"?

On our Exchange 2013 machines on which we have chosen in the Setup Dialog of KB2565063 Option "Repair" we have now:

‎Version: 10.0.40219.325

Modified: June 11th, ‎2011

On our Exchange 2013 machines with no "Microsoft Visual C++ 2010 Redistributable" installed, (no action was taken by now), we have:

Version: 10.0.30319.1

Modified: March 18th, 2010

The responsible Microsoft Team should put the exact Infromation in the Blog Article how we can determine if the update is A) nessessary B) was installed correctly.

Not applicable
So just to clarify even if Microsoft Visual C++ 2010 is not listed in Add/Remove Programs this update should be applied?

What about servers that have the same version currently installed? Should we run the installer again on those servers to re-install with the new binary?

Not applicable
@Don, the answer to both of your questions is yes. If Visual C++ 2010 is not currently installed on your server, once you have deployed Cumulative Update 11 or later, you can remove the Visual C++ package installed by the MS11-025 update.
Not applicable
Hi Brent, I still need this clarified...

We have Server2016/Exchange2016-CU10

Only C++ 2012 and C++ 2013 are installed

Are you saying we have to install KB2565063 (MS11-025), simply to satisfy the pre-requisites of the imminent CU11, Then we can safely uninstall it?

Not applicable
Thanks Brent that makes sense for Exchange 2016, but what about Exchange 2010 servers that do not have C++ 2010 listed in add/remove programs?
Not applicable
Yes, install KB2565063 (MS11-025) now, and CU11 when it comes out - you should not uninstall KB2565063 (MS11-025) after CU11, just leave it there.
Not applicable
@Don, sorry for not answering your question fully. On Exchange Server 2010, MS11-025 needs to be installed after an Exchange Service Pack is installed. The MS11-025 update needs to remain on the server to ensure that any future updates are offered by Windows Update and Microsoft Update. You will not see Visual C++ 2010 listed in Add/Remove programs on Exchange Server 2010 until after MS11-025 has been applied. You do not need to reapply MS11-025 when applying an Update Rollup.
Not applicable
I am confused about the re-release of Ex 2016 CU10 with KB4459266 that appears to be replacing the one with KB 4099852. I have already applied CU10. Should I only be applying now the Visual Studio patch and be OK, or this new CU 10 contains additional fixes? And why releasing a CU10 again when CU11 should be the one already available? I am completely confused about the CU numbers unless there was an error on what KB4459266 should really be. Can you clarify?
Not applicable
@Sandy, adding to what Greg has stated. There is no re-release of Cumulative Update 10. KB4459266 is a security update released this month that applies to Cumulative Update 9 and Cumulative Update 10. KB4459266 patches the base cumulative update to address issues unrelated to the Visual Studio binaries. It was not possible to release a single patch covering all three CVE's reported this month. When patching a server running Cumulative Update 9 or Cumulative Update 10, you need to install two patches this cycle: KB4459266 (CVE-2018-8265 and CVE-2018-8448) and KB2565063 (CVE-2010-3190).
Not applicable
Sorry if it's confusing Sandy. It's a complex issue.

If you are on 2016 CU10 today, apply the KB2565063 update, then apply CU11 when it comes out. And you're done. From then on, just keep applying CU12, 13 etc, no need to do anything else.

Not applicable
Any hint if the x86 and/or x64 version of KB2565063 is needed?

e.g. before the last CU installation, I pre-installed VC++2013 (x64) runtimes, but it seems that the update process was also pulling/installing the x86 version...

Thx in advance

Not applicable
Can you confirm if we need to install the x86 or x64 version, or both?

Exchange 2013 CU21, Server 2012R2

Not applicable
Hello,

We have exchange 2010 sp3 Cu18, when I`m try to Install KB2565063 update I get a Message:

repair Microsoft Visual C++2010 X64 Or Remove Microsoft Visual C++2010 X64

please advise me.

Ronen

Not applicable
@Chris, only the x64 version is required.
Not applicable
This has been answered already above Ronen. A repair does the job you are looking for.
Not applicable
Many thanks.

Interestingly in my case, the update installed on the CAS servers without requiring a reboot. The mailbox servers all needed a reboot however

Not applicable
Server 2012 Ex2013 CAS – No restart

Server 2012 Ex2013 Mailbox Server

Not applicable
Win 2012R2 + Exch 2013 all 3 servers required a reboot

One of them had JUST been rebooted, so it is unlikely a previous pending reboot triggered it

Anyway...

Not applicable
Then maybe something other than Exchange is loading and using the binaries.
Version history
Last update:
‎Jul 01 2019 04:34 PM
Updated by: