Security Experts:

Unpatch Wednesday: Microsoft Pulls Flawed Exchange Server Patch

Just 24 hours after shipping a critical Exchange Server 2013 patch to cover several remote code execution vulnerabilities, Microsoft has yanked the update because it causes a corruption in the index database.

Microsoft is urging all Exchange Server 2013 users to hold off on deploying the patch until a corrected version can be issued.

"Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed," said Ross Smith, a principal program manager at Microsoft.

Microsoft LogoSmith warned that this glitch affects all Mailbox server installations, leading the company to pull the update temporarily.

For those that have already installed the MS13-061 security faulty update, Microsoft has shipped a workaround (KB 2879739) that provides steps on how to resolve the problem

The workaround s trivial and involves resetting registry entries.

Microsoft has struggled with faulty patches in the past but has done a better job recently of testing and finding problems before updates ship on Patch Tuesday.

However, in this case, Microsoft's Smith said the patch "did not get deployed into our dogfood environment prior to release." He did not provide reasons for the lack of quality assurance testing.

"We will work very hard to regain your trust and confidence. With that said, we have recently made the decision to delay the release of Exchange 2013 RTM CU3 by several weeks to ensure that we have enough run time testing within our dogfood environment. Also, we will ensure that all patches are deployed in our dogfood environment prior to release going forward," Smith said.

He said the changes in testing patches may lead to a chance in the once-per-quarter Exchange Server patch release cycle.

The MS13-061 update was shipped to fix three "publicly disclosed "vulnerabilities in Microsoft Exchange Server. The vulnerabilities could allow remote code execution and a complete compromise of a vulnerable system.

It is rated "critical" for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.

However, the faulty patch does not affect Exchange 2010 and Exchange 2007 because those servers employ a different indexing architecture, Smith said.

view counter
Ryan is the host of the SecurityWeek podcast series "Security Conversations". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.