-->
Patch management, auditing & security scanning Kerio Connect Emails, calendars, contacts, tasks, chat and more GFI FaxMaker Online Internet-based faxing service GFI MailEssentials Anti-spam and email security for mail servers GFI HelpDesk Manage support issues with an all-in-one helpdesk exinda SD-WAN Multi-element WAN, traffic. Download Microsoft Exchange 5.5 Outlook Web Access Patch for Windows to resolve problems found in the Exchange 5.5 Web Client. I have found out that Vista doesn't support ActiveX control. So, I need to find a fix to patch/upgrade my exchange 2000 to support iframes. As KB911829 describes which is exactly the problem I have, OWA doesn't allow to create or reply to emails. Where can I download the patch for Exchange 2000?
Security Bulletin
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)
Published: August 13, 2013 | Updated: August 27, 2013
Version: 3.0
General Information
Executive Summary
This security update resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing uses the credentials of the LocalService account. The Data Loss Prevention feature hosts code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. The Filtering Management service in Exchange uses the credentials of the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.
This security update is rated Critical for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerabilities entry under the next section, Vulnerability Information.
Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. For information about specific configuration options in automatic updating in supported editions of Windows XP and Windows Server 2003, see Microsoft Knowledge Base Article 294871. For information about automatic updating in supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, see Understanding Windows automatic updating.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. None
Knowledge Base Article
Knowledge Base Article | 2876063 |
---|---|
File information | Yes |
SHA1/SHA2 hashes | Yes |
Known issues | Yes |
Affected and Non-Affected Software
Download Patch Exchange Owa Vista Free
The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Affected Software
Software | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
---|---|---|---|
Microsoft Server Software | |||
[Microsoft Exchange Server 2007 Service Pack 3](https://www.microsoft.com/download/details.aspx?familyid=4a600fae-7e10-4a96-9f39-c1e90365086d) (2873746) | Remote Code Execution | Critical | 2788321 in [MS13-012](http://go.microsoft.com/fwlink/?linkid=279801) |
[Microsoft Exchange Server 2010 Service Pack 2](https://www.microsoft.com/download/details.aspx?familyid=88c04e81-365b-48b0-9e11-fd9533fac364) (2874216) | Remote Code Execution | Critical | 2746164 in [MS13-012](http://go.microsoft.com/fwlink/?linkid=279801) |
[Microsoft Exchange Server 2010 Service Pack 3](https://www.microsoft.com/download/details.aspx?familyid=75a59791-395c-4352-886a-ae4966dd309a) (2866475) | Remote Code Execution | Critical | None |
[Microsoft Exchange Server 2013 Cumulative Update 1](https://www.microsoft.com/download/details.aspx?familyid=24adc6bc-ad05-44a7-91b3-84812834a18c) (2874216) | Remote Code Execution | Critical | None |
[Microsoft Exchange Server 2013 Cumulative Update 2](https://www.microsoft.com/download/details.aspx?familyid=74e61c7a-ffa0-4524-86a2-6c613529a775) (2874216) | Remote Code Execution | Critical | None |
Non-Affected Software
Microsoft Server Software |
---|
Microsoft Exchange Server 2003 Service Pack 2 |
Update FAQ
Why was this bulletin revised on August 27, 2013? Microsoft rereleased this bulletin to announce the reoffering of the 2874216 update affecting Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2. The rereleased update resolves an issue with the original update, released on August 13, 2013, that could cause Exchange Server to stop indexing mail on servers. Customers who already installed the original update will be reoffered the 2874216 update and are encouraged to apply it at the earliest opportunity.
Exchange Owa Setup
If I am running the first offering of 2874216, do I need to execute the steps outlined in KB 2879739 after applying the rereleased update? This rereleased update addresses the issue that caused the original 2874216 update to install incorrectly on Exchange servers that previously had not been updated. To restore full functionality to any server that has had the first offering of 2874216 installed on it, administrators need to apply the rereleased 2874216 update and also follow the steps detailed in Knowledge Base Article 2879739.
What happens if a security update or any other interim update patch is uninstalled? Removing any security update or interim update patch will cause the content indexing service to fail. To restore full functionality it will be necessary to follow the steps outlined in Knowledge Base Article 2879739. The ability to uninstall a security or interim update issue will be resolved in Cumulative Update 3.
Why was this bulletin revised on August 14, 2013? What happened to the original 2874216security updates for Microsoft Exchange Server 2013? Microsoft is aware of an issue with the 2874216 updates affecting Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 that could cause Exchange Server to stop indexing mail on servers. Microsoft has removed the updates from Windows Update and the Download Center and is investigating the issue. Microsoft will release new packages once the issue has been resolved.
The Oracle Critical Patch Update advisoriesdiscuss multiple vulnerabilities.Which vulnerabilities does this update address?
This update addresses three vulnerabilities: CVE-2013-3781 and CVE-2013-3776, as discussed in Oracle Critical Patch Update Advisory - July 2013, and CVE-2013-2393, as discussed in Oracle Critical Path Update Advisory - April 2013.
Does this update contain any non-security related changes to functionality?
Yes, depending on the version of Microsoft Exchange Server installed. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes other functionality changes as described in the associated KB articles for the affected rollup updates listed below.
- For Update Rollup 11 for Exchange Server 2007 Service Pack 3 (2873746), see Microsoft Knowledge Base Article 2873746.
- For Update Rollup 2 for Exchange Server 2010 Service Pack 3 (2866475), see Microsoft Knowledge Base Article 2866475.
These are vulnerabilities in third-party code, Oracle Outside In libraries. Why is Microsoft issuing a security update?
Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.
Affected Software | Oracle Outside In Contains Multiple Exploitable Vulnerabilities: CVE-2013-2393 | Oracle Outside In Contains Multiple Exploitable Vulnerabilities: CVE-2013-3776 | Oracle Outside In Contains Multiple Exploitable Vulnerabilities: CVE-2013-3781 | Aggregate Severity Rating |
---|---|---|---|---|
Microsoft Exchange Server 2007 Service Pack 3 (2873746) | Critical Remote Code Execution | Critical Remote Code Execution | Critical Remote Code Execution | Critical |
Microsoft Exchange Server 2010 Service Pack 2 (2874216) | Critical Remote Code Execution | Critical Remote Code Execution | Critical Remote Code Execution | Critical |
Microsoft Exchange Server 2010 Service Pack 3 (2866475) | Critical Remote Code Execution | Critical Remote Code Execution | Critical Remote Code Execution | Critical |
Microsoft Exchange Server 2013 Cumulative Update 1 (2874216) | Critical Remote Code Execution | Critical Remote Code Execution | Critical Remote Code Execution | Critical |
Microsoft Exchange Server 2013 Cumulative Update 2 (2874216) | Critical Remote Code Execution | Critical Remote Code Execution | Critical Remote Code Execution | Critical |
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Security update file name | For Microsoft Exchange Server 2007 Service Pack 3: Exchange2007-KB2873746-x64-EN.msp |
Installation switches | See Microsoft Knowledge Base Article 912203 |
Restartrequirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
Update log file | KB2873746.log |
Removalinformation | Use Add or Remove Programs item in Control Panel. |
Fileinformation | See Microsoft Knowledge Base Article 2873746 |
Registry key verification | For Microsoft Exchange Server 2007 Service Pack 3: HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesExchange 2007SP2KB2873746 |
Microsoft Exchange Server 2010 Service Pack 2
Reference Table
The following table contains the security update information for this software.
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Security update file name | For Microsoft Exchange Server 2010 Service Pack 2: Exchange2010-KB2874216-x64-en.msp |
Installation switches | See Microsoft Knowledge Base Article 912203 |
Restartrequirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
Update log file | KB2874216.log |
Removalinformation | Use Add or Remove Programs item in Control Panel. |
Fileinformation | See Microsoft Knowledge Base Article 2874216 |
Registry key verification | For Microsoft Exchange Server 2010 Service Pack 2: HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesExchange 2010SP1KB2874216 |
Microsoft Exchange Server 2010 Service Pack 3
Reference Table
The following table contains the security update information for this software.
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Security update file name | For Microsoft Exchange Server 2010 Service Pack 3: Exchange2010-KB2866475-x64-en.msp |
Installation switches | See Microsoft Knowledge Base Article 912203 |
Restartrequirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
Update log file | KB2866475.log |
Removalinformation | Use Add or Remove Programs item in Control Panel. |
Fileinformation | See Microsoft Knowledge Base Article 2866475 |
Registry key verification | For Microsoft Exchange Server 2010 Service Pack 3: HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesExchange 2010SP3KB2866475 |
Microsoft Exchange Server 2013
Reference Table
The following table contains the security update information for this software.
Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
Security update file name | For Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2: Exchange2013-KB2874216-v2-x64-en.msp |
Installation switches | See Microsoft Knowledge Base Article 912203 |
Restartrequirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
Update log file | KB2874216.log |
Removalinformation | Use Add or Remove Programs item in Control Panel. |
Fileinformation | See Microsoft Knowledge Base Article 2874216 |
Registry key verification | For supported editions of Microsoft Exchange Server 2013: HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesExchange 2013SP1KB2874216 |
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
Download Patch Exchange Owa Vista Free Trial
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support
Disclaimer
The information provided in the Microsoft Knowledge Base is provided 'as is' without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (August 13, 2013): Bulletin published.
- V2.0 (August 14, 2013): Rereleased bulletin to remove the 2874216 updates for Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 to address an issue with the updates. See the Update FAQ for details.
- V3.0 (August 27, 2013): Rereleased bulletin to announce the reoffering of the 2874216 update for Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2. See the Update FAQ for details.
Webmail Exchange Owa
Built at 2014-04-18T13:49:36Z-07:00