Security bulletin MS13-105 was released by Microsoft and it affects these products:
- Exchange Server 2007 SP3
- Exchange Server 2010 RTM, SP1, SP2, and SP3
- Exchange Server 2013 CU2
- Exchange Server 2013 CU3
Exchange 2007 and 2010 get new Rollup Updates, while Exchange 2013 just gets a security patch.
Information about the patch can be found here – patch here. This release is included in the Rollup Updates for Exchange 2010 as follows:
Exchange 2007 SP3 RU12 – http://support.microsoft.com/kb/2903911
Exchange 2010 RTM RU5 – http://support.microsoft.com/?kbid=2407113
Exchange 2010 SP1 RU8 – http://support.microsoft.com/kb/2787763
Exchange 2010 SP2 RU8 – http://support.microsoft.com/kb/2903903/en-us
Exchange 2010 SP3 RU4 – http://support.microsoft.com/kb/2905616
Exchange 2013 RU1 – http://www.microsoft.com/downloads/details.aspx?FamilyID=e5c9ecf5-e36f-4164-9960-c91d01a83521
Exchange 2013 RU2 – http://www.microsoft.com/downloads/details.aspx?FamilyID=35f891ce-8a0d-4d25-abe1-ea45ec81b4e0
A brief summary of the fix from Microsoft:
This security update resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.
I’ve had one customer report that OWA was broken on his Exchange 2007 SP3 Server and he was able to uninstall and reinstall CU11. From the error message they reported, the fix would have been to reinstall RU12.