Microsoft pulled a security update addressing four vulnerabilities in Exchange Server 2010 while software engineers address a problem with the faulty patch.
The company removed the download link and recommends that users uninstall the update until a working patch is reissued. The update, which already was delayed one month, addresses flaws that enable an attacker to spoof the source of an email message to trick users into clicking on a malicious link to an attack website and gain elevation of privileges.
"Microsoft is working to address the issue and will update this bulletin when more information becomes available," the company said in the revised bulletin Thursday. "The issue impacts the ability of Outlook to connect to Exchange, thus we are taking the action to recall the RU8 to resolve this problem. We will deliver a revised RU8 package as soon as the issue can be isolated, corrected and validated."
[Related:Microsoft Closes Out 2014 Addressing Internet Explorer, Office Flaws]
The security update is rated Important for all supported editions of Microsoft Exchange Server 2007, 2010 and 2013. Microsoft said the token spoofing vulnerability could make email messages appear to come from a trusted source. Exchange also suffers from cross-site scripting vulnerabilities and a URL redirect flaw.
"Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability," the company said.
Microsoft likely had a very good reason to pull the update, said Gus Chiarello, a regional sales manager at security solutions reseller and systems integrator The Hergavec Group. Botched security updates can cause serious problems at organizations, especially if they are required to roll back an update, Chiarello said. The good news, according to Chiarello, is that the update was pulled only days after the Patch Tuesday release. Organizations that thoroughly tested the update likely haven't had time to deploy it to Exchange Server, he said.
"Pulling back a patch can have a detrimental impact to Exchange Server, especially if there is a level of customization and third-party applications tying into it," Chiarello said. "If it is just a mail environment and the organization is not using additional functionality, it wouldn't likely be a serious problem."
The Microsoft patch is the sixth this year that was later pulled due to issues and the second time that the Redmond, Wash.-based software giant was forced to pull an update for Microsoft Exchange this year. A critical update to Microsoft Exchange 2013 was pulled in August less than 12 hours after it was released. It fixed three critical vulnerabilities that could be remotely exploited.
Microsoft began combining nonsecurity updates with its security patches this year and that may have caused the potential for problems to rise, according to Chiarello and other security experts interviewed by CRN. In addition to addressing security flaws, the Exchange update fixed more than a dozen other issues, including an issue with hybrid mailboxes, a problem with meeting requests in Russian time zones and spotty connectivity.
In addition to Exchange Server, Microsoft's August Patch Tuesday included repairs impacting Windows, Internet Explorer and its Office suite. The security bulletins rated Critical address flaws in Internet Explorer, a VBScript engine error in Windows, and Microsoft Word and Office applications.
PUBLISHED DEC. 11, 2014
related stories
trending stories
Video
sponsored resources
AT&T Cybersecurity
Cloud Security 360
Comcast
Comcast Business Learning Center
HPE Zone
Silver Peak
Silver Peak Learning Center
Eaton
Eaton Learning Center
Sophos
Sophos Cybersecurity Learning Center
Nfina Technologies
Data Center Storage 360
ConnectWise
ConnectWise
Vertiv
Edge Computing 360
NetApp
NetApp Data Driven Learning Center
Scale Computing
Scale Computing Learning Center
Storagecraft
Disaster Recovery Learning Center
Comodo
Comodo CyberSecurity
NPD
Industry Trends 360
BlackBerry Cylance
BlackBerry Cylance Learning Center
ESET
Managed Services 360
HYCU
Cloud Backup and Recovery 360
Wasabi
Wasabi
APC by Schneider Electric
IoT Platforms 360
ID Agent
Managed Security 360
Micro Focus
Enterprise Application Software 360
Netsurion
SIEM 360
Carbonite
Cloud Storage 360
XChange Showcase
sponsor
Emerging Vendors Showcase
sponsor
Top 100 Executives Showcase
HPI
HP Toner and Ink
Symantec
Symantec Business Security Learning Center
Dell EMC
Software-defined Data Center 360
RSA
RSA
Veeam
Veeam
SonicWall
Network Security 360