Microsoft announced Wednesday afternoon that it has pulled MS13-061, one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.
Microsoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.
“After the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,” Microsoft principal program manager Ross Smith said in a post on the company’s Exchange site.
Smith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.
Organizations that have already installed the patch are urged to follow the steps outlined in a Knowledge Base article released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.
Experts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.
The patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange’s WebReady Document Viewing and Data Loss Prevention features.
An attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.
“This is a fairly important patch in terms of criticality given that it’s the mail server and not a workstation,” said Qualys CTO Wolfgang Kandek.
The issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.
Kandek said organizations that don’t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.
In the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn’t caught in testing.
“I think it’s important because we tell people they should install patches as quickly as possible,” Kandek said. “When a patch breaks, that’s an issue.”
The Exchange patch was one of three critical bulletins sent out yesterday in Microsoft’s August Patch Tuesday updates.
