Now Available: Updated Release of MS13-061 Security Update for Exchange Server 2013
Published Aug 27 2013 09:08 AM 11.6K Views
Microsoft

On August 14th, we announced the removal of the MS13-061 Security Update for Exchange Server 2013 due to an issue where the patch changed settings for the search infrastructure, placing the content index for all databases into a failed state.  As of today, we have released updated security updates for both Exchange 2013 RTM CU1 and Exchange 2013 RTM CU2.

Download links for MS13-061:

As always, we recommend you test updates in a lab environment that closely mirrors your production environment prior to deploying in your production environment.

Questions & Answers

Q: What was changed in these patches?

A: The registry settings for the search infrastructure outlined in KB 2879739 are preserved during patch installation.

Q: Was this patch tested in your on-premises environment prior to release?

A: Yes, we tested this in our Exchange Dogfood environment prior to release and validated that the search settings were retained upon installation.

Q: What happens if I uninstall the security update (or any other interim update I receive from Microsoft for Exchange 2013)?

A: You will need to follow the steps identified in KB 2879739, otherwise your search infrastructure will be broken. 

Q: Wait, I thought you fixed that issue; why do I have to follow KB 2879739 if I uninstall?

A: This has to do with the way the search infrastructure is installed during the Cumulative Update.  Unfortunately, this issue cannot be corrected via a patch file; we have to address it in a cumulative update.  We are planning to address this in CU3.

Q: If I uninstall a patch and then install a new patch, do I still have to follow the steps in KB 2879739?

A: Yes.

Q: Will I need to follow KB 2879739 every time I install a patch?

A: No; the installation of a new patch without uninstalling the previous patch will not introduce this behavior.

Ross Smith IV
Principal Program Manager
Exchange Customer Experience

28 Comments
Not applicable

how many people actually dogfood the patch this time? Was it more than a handful? Did Ballmer himself test this before placing the onus on other companies to do the same or are you expecting us to again beta test barely tested code?

Not applicable

leave balmer alone:)

he has enough worries(has a lot of packing)

the code was tested in iran it works fine:)

Not applicable

Color me cynical but

Stay on Exchange 2010 and you will be fine.

Not applicable

Ross, can you please confirm that the entire Exchange product team is now running Exchange with this patch?  If not, I'll pass until others test it first.

Not applicable

What a mess exchange had become lately.

Not applicable

I like to blast any and all patches, upgrades, etc straight into production without testing myself.  Once done, and if there are problems, I'll take to the internetz and display my vast intellect by whining on comment boards.

Not applicable

For the people who never stop complaining on this site. You can always switch to GroupWise and leave the rest of us alone. Otherwise, shut the (eff) up....

Not applicable

So, Microsoft not testing patches adequately for the past year is a-okay, but people coming to complain on this blog over the last year of shitty patches and crashing test and production servers for critical patches is a problem?

Not applicable

is GroupWise like Groupon?

never heard of it:)

Not applicable

is GroupWise like Groupon?

never heard of it:)

Not applicable

is GroupWise like Groupon?

never heard of it:)

Not applicable

expired.aspx is not support upn auth. exch 2013 need more to gain money to live on.

Not applicable

Ross Smith,

I want to know the answer to just one question.

Are you (Ross Smith) currently running on your production Microsoft Exchange server mailbox that you use for  work Outlook access with this specific patch applied?

Not applicable

@BT, I can't speak for Ross, but my corporate mailbox is certainly on it and search is working great.

Not applicable

I've installed the new update on my CU2 test servers and they seem fine. No issues that I can see so far.

Not applicable

I've installed the new update on my CU2 test servers and they seem fine. No issues that I can see so far.

Not applicable

I've installed the new update on my CU2 test servers and they seem fine. No issues that I can see so far.

Not applicable

Will this update have to be removed prior to upgrade to CU3 ? Given that the issue can only reoccur in a removal sequence of the MSP itself, having to remove it before CU3 would be painful. Now if it is just like MSPs Rollups we had in Ex2007/Ex2010 and since installing a CU is similar to installing a SP and that it was not an issue then, will this be the same? (cross fingers that yes :p)

Not applicable

@ABCFED - the Exchange PG is dispersed across multiple different environments; some are in the multi-tenant service, some are in our Exchange Dogfood forest, some are in the corporate environment, and even a few are in the Office 365-Dedicated environment.  So not all of them have this specific patch installed; some have the Exchange 2010 patch installed; some have had new builds of Exchange 2013 installed that already include the security update.

@BT - Yes, my mailbox is on an on-premises E2013 RTM CU2 server and the patch is installed.  Please remember, the updated security binaries were not the issue with the recall; it was a setup issue (specific to how Search Foundation is installed) that caused the problem.  The updated binaries have nothing to do with search.

@Benoit - This update will not need to be removed in order to install CU3 (or a later CU in the event you don't deploy CU3).

Not applicable

Ross Smith,

So you have not dogfooded the product yourself, yet you write an article recommending others to apply this patch. Understood.

Not applicable

Should this security update be installed on Exchange 2013 server with dedicated CAS role?

After installing on a dedicated Exchange 2013 CAS server I see a new disabled service: Microsoft Exchange Search Host Controller

Martijn

Not applicable

Thank you for clarifying.

As I understand it, the Exchange team had split their mailbox usage among Exchange 2010, Exchange 2013, and Office 365 back end services. All of those services have the latest updates applied before releasing them to the public and a number of Exchange coders are utilizing the latest product patches themselves currently.

Perfect. Not sure what the others are complaining about here with that enlightenment. Sounds like everything is working correctly in development and the patches are in fact being tested with live Microsoft users. Sounds like you are on the right track and I look forward to applying this update for my customers.

:)

Not applicable

@BT - I am not sure where you derived that statement as it isn't what I said.

Not applicable

@Benoit - one clarifying comment; if you are on CU2 (or later) than you can go to a newer CU without uninstalling Interim Updates or security patches prior to install.  For RTM and CU1, you will have to uninstall the security update (or interim update) prior to installing a new CU (like CU2).

Not applicable

Should this security update be installed on Exchange 2013 CU2 server with dedicated CAS role?

After installing on a dedicated Exchange 2013 CU2 CAS server I see a new disabled service: Microsoft Exchange Search Host Controller. Note: this security update has not been installed before (new installation).

Installation on dedicated Exchange 2013 CU2 Mailbox server goes without problems.

Martijn

Not applicable

@Martijn - Our recommendation is that all servers be updated.  On a dedicated CAS server the binaries that are affected by the security vulnerability are installed and we want to make certain that they are updated.  You are correct that on a dedicated CAS server, because there are no Information Store processes, search is not present on this box so the work around is not required.  Further, the recommendation is that the updated patch be applied to ensure that there are no problems servicing the server in the future.

Not applicable

@Brent,

After installing on a dedicated Exchange 2013 CU2 CAS server I see a new disabled service: Microsoft Exchange Search Host Controller. Note: this security update has not been installed before (new installation).

So, a new disabled service (Microsoft Exchange Search Host Controller) is 'by design'?

Martijn

Not applicable

@ BT - I wonder if you would be so rude if you were speaking to the Exchange Product Team in person.  If you hate the way the patches and updates are tested, why are you even using Exchange?  Maybe it's time to find a new mail solution or time for you to find a new specialty.

Version history
Last update:
‎Jul 01 2019 04:15 PM
Updated by: