Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Unpatch Wednesday: Microsoft Pulls Flawed Exchange Server Patch

Just 24 hours after shipping a critical Exchange Server 2013 patch to cover several remote code execution vulnerabilities, Microsoft has yanked the update because it causes a corruption in the index database.

Just 24 hours after shipping a critical Exchange Server 2013 patch to cover several remote code execution vulnerabilities, Microsoft has yanked the update because it causes a corruption in the index database.

Microsoft is urging all Exchange Server 2013 users to hold off on deploying the patch until a corrected version can be issued.

“Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,” said Ross Smith, a principal program manager at Microsoft.

Microsoft LogoSmith warned that this glitch affects all Mailbox server installations, leading the company to pull the update temporarily.

For those that have already installed the MS13-061 security faulty update, Microsoft has shipped a workaround (KB 2879739) that provides steps on how to resolve the problem

The workaround s trivial and involves resetting registry entries.

Microsoft has struggled with faulty patches in the past but has done a better job recently of testing and finding problems before updates ship on Patch Tuesday.

However, in this case, Microsoft’s Smith said the patch “did not get deployed into our dogfood environment prior to release.” He did not provide reasons for the lack of quality assurance testing.

“We will work very hard to regain your trust and confidence. With that said, we have recently made the decision to delay the release of Exchange 2013 RTM CU3 by several weeks to ensure that we have enough run time testing within our dogfood environment. Also, we will ensure that all patches are deployed in our dogfood environment prior to release going forward,” Smith said.

Advertisement. Scroll to continue reading.

He said the changes in testing patches may lead to a chance in the once-per-quarter Exchange Server patch release cycle.

The MS13-061 update was shipped to fix three “publicly disclosed “vulnerabilities in Microsoft Exchange Server. The vulnerabilities could allow remote code execution and a complete compromise of a vulnerable system.

It is rated “critical” for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.

However, the faulty patch does not affect Exchange 2010 and Exchange 2007 because those servers employ a different indexing architecture, Smith said.

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.