Patch Tuesday Problem: Microsoft Pulls Critical Exchange Update


Microsoft yanked a critical Exchange 2013 security patch less than 12 hours after releasing it as part of its Patch Tuesday update . Patch Tuesday included eight new security bulletins with three of them labeled "critical," including one for the Exchange 2013 email server software.

The MS13-061 security update for Exchange fixed three vulnerabilities that could open a door for remote code execution via a "specially crafted message received by the Exchange server," according to Microsoft, Redmond, Wash. The patch Microsoft originally deployed fixes the problem, but also causes a corruption of the Exchange index database, according to Wolfgang Kandek, CTO of security and compliance software provider Qualys, Redwood City, Calif.

"Email users [using Exchange 2013 servers] will experience problems searching for email stored on corporate networks," Kandek said.

[Related: The 7 Deadly Sins Of Information Security]

Kandek said there is a workaround posted to Microsoft for anyone who installed the server patch and is seeing signs of the issue. The workaround, Kandek said, involves the editing of registry keys.

According to Kandek, Microsoft has released a number of patches this year that were not fully baked, impacting a small number of Microsoft customers. "What concerns me is that Microsoft may erode confidence in deployed patches that aren't fully vetted for each use scenario," he said. The danger is people will not update their systems for fear the patches will do more harm than good. In the interim, hackers use the public patch data to find vulnerabilities, Kandek added.

Kandek said this most recent Microsoft patch is the fifth this year that was later pulled. He said it is "virtually impossible for an enterprise software maker to account for all configuration variations present in customer environments, so a workable solution will focus on getting it right for the large majority of system users." The responsibility, he said, also rests on system administrators, who should follow the rule of patch deployment as such: One percent of users the first day, 10 percent the second and the rest on the third.

Patch Tuesday included fixes for 23 vulnerabilities. Chief among them were MS13-059, MS13-060 and MS13-061. Each of these were rated "critical," with the first affecting Internet Explorer that Microsoft advised users to install as quickly as possible. That patch (MS13-059) fixed 11 vulnerabilities in all versions of IE from IE6 to IE10.

PUBLISHED AUG. 15, 2013