Today Microsoft is releasing security updates for Exchange 2007 SP3, 2010 SP2, 2010 SP3, 21013 CU2, & 2013 CU3 for MS13-105. For Exchange 2007 SP3 & 2010 SP2 these are included in the latest Rollup Updates. For Exchange 2013 Microsoft is following the updates plan they documented in the EHLO blog post “Servicing Exchange 2013” and will provide a Security Update (SU) package to be installed on top of CU2 or CU3.
So the new RUs for 2007 will be 2007 SP3 RU12 (KB2903911 | Download), for 2010 SP2 RU8 (KB2903903 | Download), and 2010 SP3 RU4 (KB2905616 | Download). For Exchange 2013 this update will be installed on top of CU2 or CU3, 2013 CU2 (KB2880833 | Download) and 2013 CU3 (KB2880833 | Download). An update for Exchange 2013 CU1 is NOT being provided, per the Microsoft policy of only support the current version (CU3) and one version back (CU2).
- To summarize it another way:
- 2007 SP3 RU12 = 2007 SP3 RU11 + new security fixes
- 2010 SP2 RU8 = 2010 SP2 RU7 + new security fixes
- 2010 SP3 RU4 = 2010 SP3 RU3 + new security fixes
- Exchange 2013 CU2 will get a SU package containing the new required security fixes and the previously released security fix so you only need to apply one SU if you never applied the original one
- Exchange 2013 CU3 will get a SU package containing only the new required security fixes since CU3 was released
- Issues addressed
- Updates Oracle OutsideIn libraries (previously known as Stellant) to a non-vulnerable version
- Removes a XSS attack vector in OWA logon
- Removes a deserialization attack vector by setting EnableViewStateMac in OWA
Mostly from the EHLO Blog post: Released: Microsoft Security Bulletin MS13-105 for Exchange
For Exchange Server 2007 & 2010, the update is being delivered via an NEW Update Rollup. UR3 will ONLY contain this security fix for MS13-105 and the other changes that were in UR2.
For Exchange Server 2013, this security updates is being delivered as discrete update and contains no other changes. Security updates for 2013 are cumulative in nature based upon a given Cumulative Update. This means customers who are running CU2 who have not deployed MS13-061 can move straight to the Cu3 update because it will contain both updates. Customers who are already running MS13-061 on CU2 may install MS13-105 on top of MS13-061 without removing the previous release. If MS13-061 was previously deployed, Add/Remove Programs will indicate that both updates are installed. If MS13-061 was not previously deployed, only MS13-105 will appear in Add/Remove Programs.
All of these fixes will be available immediately on the download center and through Windows Update per our standard security release practice. Note that we will not be releasing Exchange Server 2010 Service Pack 3 Update Rollup 3 to Windows Update due to the closeness of these releases and to avoid the supersedence confusion created with Update Rollups that are labeled as security releases vs. those that are not. Windows Update will indicate that Update Rollup 4 supersedes Update Rollup 2 avoiding the problem of Windows Update offering Update Rollup 3 to customers who have Update Rollup 4 installed already.