Microsoft Yanks Exchange Server Update That Breaks Connection
Microsoft pulled a security update addressing four vulnerabilities in Exchange Server 2010 while software engineers address a problem with the faulty patch.
The company removed the download link and recommends that users uninstall the update until a working patch is reissued. The update, which already was delayed one month, addresses flaws that enable an attacker to spoof the source of an email message to trick users into clicking on a malicious link to an attack website and gain elevation of privileges.
"Microsoft is working to address the issue and will update this bulletin when more information becomes available," the company said in the revised bulletin Thursday. "The issue impacts the ability of Outlook to connect to Exchange, thus we are taking the action to recall the RU8 to resolve this problem. We will deliver a revised RU8 package as soon as the issue can be isolated, corrected and validated."
[Related:Microsoft Closes Out 2014 Addressing Internet Explorer, Office Flaws]
The security update is rated Important for all supported editions of Microsoft Exchange Server 2007, 2010 and 2013. Microsoft said the token spoofing vulnerability could make email messages appear to come from a trusted source. Exchange also suffers from cross-site scripting vulnerabilities and a URL redirect flaw.
"Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability," the company said.
Microsoft likely had a very good reason to pull the update, said Gus Chiarello, a regional sales manager at security solutions reseller and systems integrator The Hergavec Group. Botched security updates can cause serious problems at organizations, especially if they are required to roll back an update, Chiarello said. The good news, according to Chiarello, is that the update was pulled only days after the Patch Tuesday release. Organizations that thoroughly tested the update likely haven't had time to deploy it to Exchange Server, he said.
"Pulling back a patch can have a detrimental impact to Exchange Server, especially if there is a level of customization and third-party applications tying into it," Chiarello said. "If it is just a mail environment and the organization is not using additional functionality, it wouldn't likely be a serious problem."
The Microsoft patch is the sixth this year that was later pulled due to issues and the second time that the Redmond, Wash.-based software giant was forced to pull an update for Microsoft Exchange this year. A critical update to Microsoft Exchange 2013 was pulled in August less than 12 hours after it was released. It fixed three critical vulnerabilities that could be remotely exploited.
Microsoft began combining nonsecurity updates with its security patches this year and that may have caused the potential for problems to rise, according to Chiarello and other security experts interviewed by CRN. In addition to addressing security flaws, the Exchange update fixed more than a dozen other issues, including an issue with hybrid mailboxes, a problem with meeting requests in Russian time zones and spotty connectivity.
In addition to Exchange Server, Microsoft's August Patch Tuesday included repairs impacting Windows, Internet Explorer and its Office suite. The security bulletins rated Critical address flaws in Internet Explorer, a VBScript engine error in Windows, and Microsoft Word and Office applications.
PUBLISHED DEC. 11, 2014