Microsoft has withdrawn a critical security update it released earlier this week for Exchange Server. The company conceded that inadequate testing led to the update being rescinded. The company also acknowledged problems with two of this week's other security updates.
On Wednesday, Microsoft stated in a post to The Exchange Team Blog that it was aware of a problem with update MS13-061. The issue not only renames Microsoft Exchange Host Controller service but also prevents users from searching their mailboxes.
MS13-061 was issued to correct a vulnerability related to Oracle's OutsideIn product. Microsoft licenses the technology so that email attachments such as PDFs and Word documents can be viewed within Outlook without launching additional applications. Microsoft assigned the update a "critical" ranking, its highest designation.
[ For more on Microsoft's ill-fated security patch, see Microsoft Plans Critical Patches For Internet Explorer, Exchange. ]
The problem with MS13-061 affects neither Exchange Server 2007 nor Exchange Server 2010. Companies can proceed with testing and deploying the update for Exchange 2007 SP3 RU11, Exchange 2010 SP2 RU7, and Exchange 2010 SP3 RU2, Microsoft said. The company pulled the update for Exchange Server 2013, however, and promises a revised update package once it has diagnosed and resolved the issue.
In the meantime, the company has already recommended a workaround that protects Exchange 2013 customers from the OutsideIn exploit. Microsoft also published a troubleshooting workflow for those who have already deployed the update and are currently experiencing problems.
In a blog post, Chester Wisniewski, senior security advisor at security vendor Sophos, said that system administrators need to apply a fix or disable OutsideIn features. "The vulnerabilities have been publicly disclosed," he warned.
Microsoft has also acknowledged problems with two of its other Patch Tuesday releases.
MS13-063, which was rated "important," was deployed to patch a potential Windows kernel exploit but is causing certain games to crash. Some posters in a Microsoft forum have reported more severe problems associated with MS13-063, including error messages that prevent any applications from launching.
Several of the updates in package MS13-066, also rated "important," are causing problems with Active Directory Federation Services, meanwhile. Microsoft also noted that users may experience "functionality issues" with update 2843639, one of MS13-066's components, if they have not already applied update 2790338.
Microsoft customers also experienced several Patch Tuesday problems last month. In the aforementioned post to The Exchange Team Blog, the company admitted that flaws in MS13-061 were not previously detected because the update was not deployed for "dogfood," or on-premise, testing prior to release.
Microsoft also acknowledged that some users might be getting exhausted by the bugs and oversights. "We will work very hard to regain your trust and confidence," wrote Ross Smith, program manager for Exchange Customer Experience, in the blog. He noted that customers have been promised improved testing procedures in the past and said, "Going forward, all patches will be deployed in our dogfood environment prior to release."
He added that Microsoft will delay the release of Exchange 2013 RTM CU3 by several weeks to ensure that adequate testing is completed. He also said Exchange 2013's quarterly release cadence may change as the company refines it testing methodologies.