Moments ago, Microsoft released a bunch of Rollup Updates and (critical) security updates for Exchange:
- Update Rollup 11 for Exchange Server 2007 SP3
- Update Rollup 7 for Exchange Server 2010 SP2
- Update Rollup 2 for Exchange Server 2010 SP3
- Exchange Server 2013 RTM CU1 MSRC Security bulletin MS13-061
- Exchange Server 2013 RTM CU2 MSRC Security bulletin MS13-061
By now, you should be familiar with the “traditional” way of how the Rollup Updates work for Exchange 2007 and 2010. New, however, are the security updates for Exchange 2013. As announced before, these security updates only have a limited scope within which they are supported.
As such, you’ll have to make sure that you are running either of the following Exchange 2013 versions:
- Exchange 2013 RTM CU1
- Exchange 2013 RTM CU2 v2
In case you’ve missed it: Yes, you need version 2 of CU2 for Exchange 2013 installed.
For more information on the updates, have a look at the original announcement here
Security Update MS13-061
It seems that Oracle is once to blame for the critical security update, which has already been announced a few days ago. As described on the Security Bulletin page, the vulnerability would allow to remotely execute code on your Exchange Servers.
In fact, there are multiple vulnerabilities of which 2 again have to do with WebReady Document viewing (just like earlier this year). The third vulnerability is because the feature called “Outside In” is used in DLP.
I haven’t had the opportunity to read more about it, but if you want the original announcement has been updated with more information: