Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed.
For those that have already installed the MS13-061 security update for Exchange Server 2013, we already have KB 2879739 that provides the steps on how to resolve this issue. However, due to this issue and that it affects all Mailbox server installations, we have decided to pull the MS13-061 security update temporarily.
Note: This issue does not occur in Exchange 2010 or Exchange 2007. You can proceed with testing and deploying Exchange 2007 SP3 RU11, Exchange 2010 SP2 RU7, and Exchange 2010 SP3 RU2.
Recommendation
If you have already installed MS13-061 security update on your Exchange 2013 servers, we recommend following the steps in KB 2879739 to resolve the issue.
If you have not installed MS13-061 security update on your Exchange 2013 servers, we recommend not proceeding with the update at this time. To mitigate the security vulnerability, we recommend following the workaround steps identified in the Vulnerability Information – Oracle Outside in Contains Multiple Exploitable Vulnerabilities section in Microsoft Security Bulletin MS13-061.
Question/Answers
Q: What is the impact of this security vulnerability?
A: Please see the information contained within the MS13-061 Security Bulletin.
Q: I am about to upgrade from CU1 to CU2, will I be affected?
A: No, this issue does not occur when upgrading to a cumulative update. This issue only occurs when patching a .msi installation via a .msp file.
Q: Why does this issue occur with installing a .msp file?
A: During the Exchange 2013 installation (.msi installation), the service is created, the Data Folder Location registry key is created and during a post configuration step, the registry key is populated with data and the service name is rebranded. During the .msp installation, these settings are reverted back to their original installation values prior to the post-configuration step.
Q: If I follow the steps identified in the workaround, will I have issues in the future?
A: Following the steps identified in KB 2879739 will resolve the issue and not cause any future problems.
Q: What happens if I uninstall the security update?
A: You will need to follow the steps identified in KB 2879739, otherwise your search infrastructure will be broken.
Q: Why didn’t you recall the update rollups for Exchange 2010 and Exchange 2007?
A: Both Exchange 2010 and Exchange 2007 utilize a different indexing architecture and, as a result, are not impacted.
Q: How was this issue not detected in Exchange Online if Exchange Online is always receiving fixes before on-premises customers?
A: Exchange Online does not deploy .msp patches into the environment; instead, Exchange Online deploys new full builds of the product (cumulative updates, if you will) on a regular release cadence. As a result, Exchange Online was not impacted by this issue.
Q: How was this issue not detected in your on-premises deployments?
A: Unfortunately, this security update did not get deployed into our dogfood environment prior to release.
Q: You have told us time and time again that you were going to improve your testing procedures, and yet each time you have to tell us that you missed something. When will it end?
A: We will work very hard to regain your trust and confidence. With that said, we have recently made the decision to delay the release of Exchange 2013 RTM CU3 by several weeks to ensure that we have enough run time testing within our dogfood environment. Also, we will ensure that all patches are deployed in our dogfood environment prior to release going forward.
We will continue to make improvements in our release cadence and testing methodologies over time to ferret out these issues. These changes may mean that our once a quarter release cadence for Exchange 2013 may change.
Principal Program Manager
Exchange Customer Experience