Exchange Server Quarterly Servicing updates, changes, zero day vulnerability fixes released

Yesterday we released Exchange Server quarterly servicing Cumulative Updates (for Exchange 2013/2016/2019) and Rollup Update (for Exchange 2010) for all supported versions of Exchange Server.

Few highlights were,

  • These updates have the fixes to mitigate the zero day and related vulnerabilities.
  • An architectural change to EWS Push notification authentication – this change addresses the EWS Vulnerability. 
  • KB4490060 outlines the details of the changes made.
  • Customers who rely upon Push Notifications, should understand the important changes made.
  • EWS Pull and Streaming Notifications functionality are unchanged by today’s updates.
  • The change in Push Notification authentication is a permanent change to the product and necessary to protect the security of an Exchange Server.

The Exchange team has determined a change in the Active Directory rights granted to Exchange Servers using the default Shared Permissions Model is in order.

  • Changes in the latest cumulative updates, described in KB4490059, reduce the scope of objects where Exchange is able to write security descriptors in the directory.

Exchange Server 2010, 2013, 2016 and 2019 all receive an update package.

Learnt about Shared Permissions vs Split permissions model

For more info, please refer the detailed EHLO blog post and its guidance.

Comments

  • Anonymous
    February 14, 2019
    Good one...!! Quick questions. Is this thoroughly checked in first place? As of tomorrow we have existing ews applications which use EWS Pull/push notifications functionalities should not be affected?
    • Anonymous
      March 07, 2019
      Glad that it helped you.
      • Anonymous
        March 07, 2019
        I missed answering your query - Yes, we have evaluated the changes to push notifications against many commonly used EWS clients, e.g. Outlook Mac, Skype for Business Client, native iOS mail clients and observed no loss of functionality due to these changes. EWS Pull and Streaming Notifications functionality are unchanged by today’s updates.