Released: Microsoft Security Bulletin MS13-105 for Exchange
Published Dec 10 2013 11:20 AM 46.9K Views

Today the Exchange team released security bulletin MS13-105. Updates are being made available for the following versions of Exchange Server:

  • Exchange Server 2007 SP3
  • Exchange Server 2010 SP2
  • Exchange Server 2010 SP3
  • Exchange Server 2013 CU2
  • Exchange Server 2013 CU3

Customers who are not running one of these versions will need to upgrade to an appropriate version in order to receive the update.

Security bulletin MS13-105 contains details about the issues resolved, including download links.

For Exchange Server 2007/2010 customers, the update is being delivered via an Update Rollup per standard practice. Due to the timing of the release of our most recent Update Rollups, the only difference between the previously released Update Rollup and the Security Update Rollup released today is the inclusion of the security updates identified in MS13-105. We did not include updates for any other customer reported issues in these packages to ease their adoption.

For Exchange Server 2013 customers, security updates are always delivered as discrete updates and contain no other updates. Security updates for Exchange 2013 are cumulative in nature based upon a given Cumulative Update. This means customers who are running CU2 who have not deployed MS13-061 can move straight to the MS13-105 update because it will contain both security updates. Customers who are already running MS13-061 on CU2 may install MS13-105 on top of MS13-061 without removing the previous security update. If MS13-061 was previously deployed, Add/Remove Programs will indicate that both updates are installed. If MS13-061 was not previously deployed, only MS13-105 will appear in Add/Remove Programs.

These updates are being made available via Microsoft Update and on the Microsoft Download Center.

Exchange Team

66 Comments
Not applicable
After this update also on one of mailbox-server in DAG appears BSODs with CRITICAL_OBJECT_TERMINATION daily. Before update server was stable...
Not applicable
As I see by BSOD-dump, it is because of Health Monitoring service:

Debugging Details:

------------------

Page 785dd not present in the dump file. Type ".hh dbgerr004" for details

PROCESS_OBJECT: fffffa80143727f0

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: wininit

FAULTING_MODULE: 0000000000000000

PROCESS_NAME: MSExchangeHMWo

BUGCHECK_STR: 0xF4_MSExchangeHMWo

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80001c57ab2 to fffff800018c9bc0

STACK_TEXT:

fffff880`0a2d0b08 fffff800`01c57ab2 : 00000000`000000f4 00000000`00000003 fffffa80`143727f0 fffffa80`14372ad0 : nt!KeBugCheckEx

fffff880`0a2d0b10 fffff800`01c02abb : ffffffff`ffffffff fffffa80`182f1060 fffffa80`143727f0 fffffa80`17d38060 : nt!PspCatchCriticalBreak+0x92

fffff880`0a2d0b50 fffff800`01b82674 : ffffffff`ffffffff 00000000`00000001 fffffa80`143727f0 00000000`00000008 : nt! ?? ::NNGAKEGL::`string'+0x17486

fffff880`0a2d0ba0 fffff800`018c8e53 : fffffa80`143727f0 fffff880`ffffffff fffffa80`182f1060 00000000`00000000 : nt!NtTerminateProcess+0xf4

fffff880`0a2d0c20 00000000`77a8157a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000000`2a93d1e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77a8157a

STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: wininit.exe

FAILURE_BUCKET_ID: X64_0xF4_MSExchangeHMWo_IMAGE_wininit.exe

BUCKET_ID: X64_0xF4_MSExchangeHMWo_IMAGE_wininit.exe

Followup: MachineOwner

Not applicable
To the post above me, are you running 2010 or 2013?
Not applicable
I do have 2010 SP3 RU4 running in a test env. but we don't do much of any testing with it unless someone reports it here, then i go and try and validate it. Our prod env. is more more complicated than our test env. so putting the RUs in our test env really doesn't validate anything other than it doesn't blow up the servers.
Not applicable
Well, 2 weeks on, we haven't rolled this out (current 2010 SP3 RU2). The decision comes down to possible security risk vs causing known problems with the 2010 SP3 RU3 bugs. Our customers won't tolerate broken products. Any simple dogfood testing of the RU3 patch for a week would have picked up these bugs.
Not applicable
Great job Microsoft. Just ran ru4 last night. Now Outlook continually prompts the users for a password. I've already opened a ticket and am awaiting a callback from professional support. Way to completely ***-up an update yet again.
Not applicable
Still issues with RU4. Can't get the test lab to work after installing. Breaks and destroys CAS services willy-nilly. Exchange 2013 coding is an unmitigated disaster. Months, aw hell let's be honest here, more than a year after release it's buggier than Herbie and runs about as well as Lindsey Lohan.
Not applicable
Oh wait, I see you stated "Exchange 2013 coding is an unmitigated disaster". Still trying to figure out if RU4 is OK for 2010 Exchange. Seems like only a few may have some slight issues with it.
Not applicable
2010 SP3 RU3 Good to Go? Less issues with RU3 compared to RU4?
Not applicable
I believe no one who claims to have an Exchange 2013 organization running on 70 server with no problems at all. That is simply impossible to believe.
Not applicable
Greg

As to my post from 16 Dec 2013 3:04 PM related to Outlook Credentials. Problem was traced to autodiscover issue. where client was not able to authenticate. All services were running, iisreset did not help. An additional restart of Exch Server solved the problem. Still don't know the reason.

Not applicable
Running without problems on ~70 servers here (SP3RU4).
Not applicable
Do not upgrade to ru4. Still buggy.
Not applicable
After installing RU4 for security related reasons I have installed RU3. Now category view is broken in outlook 2010. Weird issues when switching from inbox to another folder it shows old emails, when you go back to inbox and back to folder it displays correct emails. Again go back to inbox and back to folder and old emails are displayed, back to inbox back to folder and all emails are there. (non cached mode)

Having intermittent backup problems now, not sure if it is related but my faith in these roll ups are gone.

Exchange 2010 SP3 RU4.

Not applicable
Its been a while, just wanted to hear back from some people on thoughts about installing RU4 for 2010 SP3. It seems a few are having issues but they don't specify version. I would like to upgrade to this but was holding our for more info.
Not applicable
zxc
Not applicable
We're running Exchange 2010 SP3 RU4 here without any problems
Not applicable

Anyone seeing any news of this being used in the wild? It sounds like it has serious potential.

Untested patch and 2010 SP3 RU3 problems VS a known serious vulnerability?

Not applicable

So do we need to re-download and re-run the CU (ex 2010)?

Not applicable

@Sean, can you expand on that question? Exchange 2010 only has RUs and SPs. For example you previously installed 2010 SP3 RU3, then all you need to do is download and install 2010 SP3 RU4 to get the security update for MS13-105 in addition to the other updates provided in RU1 through RU3.

Not applicable

Can I just patch 2007SP3 CAS since this is just the security fix without having to update CCR?

Not applicable

@Just did RU11 - Our recommendation is that customers deploy a consistent version of any Update Rollup across all servers in their environment.  We support co-existence of versions for the period of time it takes a customer to deploy an update, which we presume to be a temporary condition.

Not applicable

Does by installing this Cumulative update or Update Roll Up means we need to perform uninstallation again when the next CU or Service Pack needs to be deployed ?

Not applicable

"Server Support Specialist" - this is a full CU / RU which means you don't need to uninstall it. The next one, when it comes out, would just go over top of it. It's not an Interim Update.

Not applicable

@Server Support Specialist - For 2013 you do NOT need to uninstall the security update to move to the next Cumulative Update or Service Pack.  Similarly, for 2007/2010 you do NOT need to uninstall Update Rollups to move to the next Update Rollup or Service Pack.

Today we require that any Interim Updates you have may have received from support to be uninstalled before moving to a later Update Rollup, Cumulative Update or Service Pack.  We are working to remove this requirement in future builds of 2013.

Not applicable

Does Rollup 12 for Exchange 2007 fix the IE 11 OWA Problem? I can't find any information ... Thanks

Not applicable

@Server Support Specialist: No, you won't need to uninstall an Exchange 2010/2007 update roll-up to install the next update rollup (or service pack). Similarly, you won't need to uninstall an Exchange 2013 CU to install the next CU.

Not applicable

@Martin: Please note, mainstream support for Exchange 2007 ended in 2012. Exchange 2007 SP3 RU7 was the last Exchange 2007 update released under mainstream support. The

RU7 release announcement includes this info.

Microsoft Product Lifecycle has support dates for Exchange 2007. Also see

Microsoft Support Lifecycle Policy FAQ, which includes details about availability of non-security hotfixes during extended support.

Not applicable

Please can you clarify that these vulnerabilities just affect CAS servers?  I'd like to patch them ASAP if that is the case.  Patching DAG/CCRs will take much longer and require organized down-time.  I'm unsure whether I'll be able to get that just before the holidays.

Of course, this will be just a case of timing, rather than leaving DAG servers unpatched.

Not applicable

Few days back , Microsoft released RU3 and in a few days they released RU4. Can anyone tell me that if we still havent deploy RU3 in the environment so do we install RU4 directly on the server? is all the fixes that were part of RU3 are there in RU4

Not applicable

@Tech - Everything contained in RU3 is in RU4 as well.  You may go directly to RU4 and receive all the benefits of RU3 as well.

@John - If your DAG's and CCR's do NOT have the CAS ros installed, then updating your CAS roles only will address all of the vulnerabilities.  However, as previously mentioned the recommendation is that this be a temporary state to achieve your deployment requirements and that all roles should be updated.

Not applicable

I am planning on doing an upgrade from 2010 SP2 RU5v2 to 2010 SP3 latest RU.  So is this security bulletin considered RU4 now?

So in order to do my upgrade I would just have to install SP3 first, and then this security update (RU4?) as it includes everything from RU1-RU3, Correct?

Not applicable

@Jason: That's right - because RUs are cumulative, RU4 includes all updates included in RU1-RU3, in addition to the security update.

Not applicable

How slow is installing that patch on Exchange 2013 CU3?

On my Exchange 2013 VM (4vCPU, 32 GB RAM, RAID10 storage) the patch is running since 30 minutes!

Not applicable

MS13-105 first states that "The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server."

Than later in the MS13-105 in "MAC Disabled Vulnerability - CVE-2013-1330" FAQ it states that "An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Local System service account."

Also, FAQ for "MAC Disabled Vulnerability - CVE-2013-1330" states that the attack vector is "In an attack scenario, the attacker could send specially crafted content to the target server.

I am not certain if I understood this correctly. Is it really possible for attacker to send specially crafted content to target Exchange server and get local system service account access, without any action from user? If so, than this definitely is more serious vulnerability than those for WebReady Document Vieweing and Data Loss Prevention.

Thanks for any clarification ...

Not applicable

@MS - The statement that the WebReady Document Viewing and Data Loss Prevention vulnerabilities are of greater importance reflects that these have already been publicly disclosed.  The MAC Disabled Vulnerability was not known until our bulletin was released.  As the bulletin states, both issues have received a critical rating indicating that we encourage customers to address both issues as quickly as possible.

Not applicable

MS13-105 on Exchange 2007 SP3 causes OWA to stop working.  No images are available and the pages only partially display.

Not applicable

@Scott Thompson - MS13-105 has been validated in multiple customer environments and not shown this condition.  Please work through support channels to properly diagnose the issue you are seeing.

Not applicable

@Brian Ignore me--mis-read the article. I just need to install UR4

Not applicable

Thanks brent.

There are so many issues in RU3 related to IE and outlook , is this fixed in RU4. Anyone who already applied RU4 in the environment?

Is RU4 is reliable?

Not applicable

Hi guys!

I installed this one on one of my Exchange servers and Firefox OWA problem is gone.

No more memory and CPU eating :)

Anyone else has the same effect?

Not applicable

Disregard above post.

I was just one time that all worked OK, now again memory leak appeared :(

Not applicable

After installing of this fix - all performance counters (we are using Zabbix for monitoring) are disappeared.

Exchange Team - are you using QA in development or using only customers for this? Still having WinXP issues with Public Folders after "stable" CU3 update. So mad.

Not applicable

@Scott Thompson, Scott, I had the same issue, but on running the RU again the problem was resolved.  On investigating it seems to be a common issue with rollups.

exchangeserverpro.com/exchange-2007-owa-stops-working-with-reason0-error

and

Also search for "exchange 2007 ru reason=0" and there are plenty of threads to choose from.

Not applicable

After update cannot add perf counters for queues:

MSExchangeTransport Queues(*)

Counters not appears

Not applicable

@Brent - thanks for clarifying. I still think that "MAC Disabled Vulnerability - CVE-2013-1330" is much more serious problem, and Exploitability Index in "technet.microsoft.com/.../ms13-dec" seems to point in that direction.

I just hope everything goes well with applying this rollup ...

Can anyone tell me what is the average time needed for Rollup update 8 to finish installing? ... is service unavailable to user the whole time or?

Thanks.

Not applicable

Folks, a gentle reminder that this post relates to five different builds of Exchange.  Please state which one applies to your situation.

Thanks in advance.

Not applicable

Bharat - you didn't answer Martin's question with this response:

@Martin: Please note, mainstream support for Exchange 2007 ended in 2012. Exchange 2007 SP3 RU7 was the last Exchange 2007 update released under mainstream support. The RU7 release announcement includes this info.

That's all well and good but does the latest update for Exchange 2007 address the Internet Explorer 11 issues as seen (and fixed) in Exchange 2010 and 2013?

One could infer with your dodging the question that the answer is no, but we shouldn't have to assume anythign here on what would normally be a clear yes or no question.

Not applicable

@DodgeTheQuestion: No, it does not.

No intention to dodge the question here. I pointed to the lifecycle policy docs. The FAQ  indicates that non-security hotfix support "Requires extended hotfix agreement, purchased within 90 days of mainstream support ending."

I've also linked to the

Exchange 2007 SP3 RU7 release post from April 2012, which includes the following support statement:

Support lifecycle statement: This is the final release under standard support for Exchange 2007, as the Exchange 2007 Mainstream Support has now ended. Extended Support for Exchange 2007

SP3 will end on 4/11/2017. Please see the

Microsoft Support Lifecycle page for more information about Microsoft Support Lifecycle for Exchange 2007. Got questions about Microsoft Support Lifecycle Policy? Head over to

Microsoft Support Lifecycle Policy FAQ.

To be clear, only security-related fixes are provided when a product is on extended support, unless you have an extended hotfix agreement. IE11 support in Exchange 2007 is an example of a fix that isn't security-related, and  would require an extended hotfix

agreement.

Not applicable

@D  Thank you, that fixed the issue first time!  Thank you for being so helpful.  OWA now works as before.

Version history
Last update:
‎Jul 01 2019 04:16 PM
Updated by: