Microsoft Pulls Critical Exchange Patch
Hackers may now seek to exploit the flaw, despite a Microsoft workaround
Microsoft has pulled one of its critical updates from this week’s Patch Tuesday list of fixes, as it was corrupting mailbox databases for Exchange Server 2013 users.
The update was supposed to fix three publicly disclosed vulnerabilities in the WebReady Document Viewing and Data Loss Prevention features of Exchange Server. Microsoft has pulled it thanks to the errors it was causing, and has offered a workaround.
Microsoft in a fix?
Security experts remain concerned hackers are already looking at ways to exploit the software.
“Seeing as this is a critical update and that could result in remote code execution and that the patch has already been made available, even if for a short time, you have to assume that the bad guys are actively working on exploit code for this issue,” said Ziv Mador, director of security research at Trustwave.
Microsoft has included its workaround in an updated advisory, which you can find here.
On Tuesday, Microsoft released eight security updates, three of them rated critical, the rest important. That covered 23 vulnerabilities, covering Windows, Internet Explorer and Exchange.
Users have been advised to update all products, but focus in particular on the 11 Internet Explorer flaws, as experts fear they could easily be exploited.
The other key update to focus on is MS13-060, a flaw in the Unicode Scripts Processor in Windows XP and Windows Server 2003, which “could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts”.
Are you a security expert? Try our quiz!