Microsoft releases a bunch of Rollup- and Security updates for Exchange

Moments ago, Microsoft released a bunch of Rollup Updates and (critical) security updates for Exchange:

  • Update Rollup 11 for Exchange Server 2007 SP3
  • Update Rollup 7 for Exchange Server 2010 SP2
  • Update Rollup 2 for Exchange Server 2010 SP3
  • Exchange Server 2013 RTM CU1 MSRC Security bulletin MS13-061
  • Exchange Server 2013 RTM CU2 MSRC Security bulletin MS13-061

By now, you should be familiar with the “traditional” way of how the Rollup Updates work for Exchange 2007 and 2010. New, however, are the security updates for Exchange 2013. As announced before, these security updates only have a limited scope within which they are supported.

As such, you’ll have to make sure that you are running either of the following Exchange 2013 versions:

  • Exchange 2013 RTM CU1
  • Exchange 2013 RTM CU2 v2

In case you’ve missed it: Yes, you need version 2 of CU2 for Exchange 2013 installed.

For more information on the updates, have a look at the original announcement here

Security Update MS13-061

It seems that Oracle is once to blame for the critical security update, which has already been announced a few days ago. As described on the Security Bulletin page, the vulnerability would allow to remotely execute code on your Exchange Servers.

In fact, there are multiple vulnerabilities of which 2 again have to do with WebReady Document viewing (just like earlier this year). The third vulnerability is because the feature called “Outside In” is used in DLP.

I haven’t had the opportunity to read more about it, but if you want the original announcement has been updated with more information:

Happy updating…!

Exchange 2013

Demo of spoofing attack shows that Android & IOS devices can be wiped due to Untrusted SSL certificates

Articles at Ars Technica and Tweakers.net (Dutch) reported that Peter Hannay, an Australian Security Expert, demoed at the Blackhat conference how Adroid and IOS devices could be wiped by spoofing the connections to the Exchange server using Untrusted SSL Certificates:

Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay’s tests: They issued a warning, but allowed users to connect anyway. Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.

For the attacker to succeed, he must be able to spoof the connection. This could easily be achieved by setting up an unsecured Wi-Fi network. Past Blackhat conferences have proven that people tend to connect to unsecured Wi-Fi networks; even if they do not know it’s roots!

Hannay has developed an attack that uses a WiFi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won’t reach that intended destination. Instead, it will initiate communications with Hannay’s imposter machine.

Although the problem doesn’t seem to lie with the Exchange Server, I agree with Paul Cunningham his point-of-view: I’m also curious to see how Microsoft will react to these findings.

ActiveSync in the future?

Crappy ActiveSync implementations have always been a thorn in the flesh of Microsoft. To “force” better implementations they launched the ActiveSync Logo Program. However, it seems however that the program somehow missed it’s target…

Although Exchange Server 2013 still supports ActiveSync, Dave Stork reported that Windows 8 still ships with version 14. This might point out that Microsoft is perhaps reducing it’s effort to further develop ActiveSync. I wouldn’t be surprise is Microsoft is trying to shift away from ActiveSync in the future: that way they don’t have to deal with problems that are introduced by the bad implementation of ActiveSync in mobile devices.

However, I haven’t come across a worthy replacement for it in the Release Preview of Exchange Server 2013 yet… Time will tell, but I’m watching closely to see what ‘s still to come.

Until later!

Blog Exchange

Sessions I would attend @ TechEd Europe (26-29 june, Amsterdam)

TechEd is coming back to Europe and this time it’s striking down in Amsterdam from the 26th to the 29th of June. TechEd is, in my opinion of course, a one of a kind conference packed with lots and lots of great sessions about various topics. If you have the opportunity to attend the conference: don’t hesitate!

A few days ago, the first sessions were announced so I went and had a peak at what was coming our way. The conference, usually divided into multiple “tracks”, allows you to easily identify your area of interest and pick your sessions accordingly. Because of my background (and strong personal interest), I mainly focus on the following tracks:

What you will notice is that, although I spend most of my time with products like Exchange, most of the sessions I picked are from the Security & Identity track. Why is that? Well, Exchange has been around for quite some time now. This does not mean that I know the product inside out, but a lot of things have already been said and by nature I rather tend to look into the future than looking back. This is also why I would focus more on new(er) products and technologies. At this time, Windows Server 8 (and therefore also Active Directory) fits that description perfectly, hence the choice for session that mostly talk about it and it’s new features.

For one, if it were possible, I would attend all of them. But at conferences like TechEd, it’s all about choices. The list below depicts the sessions that I would attend. Please keep in mind that these are my personal choices and it does not mean that other sessions are less worth attending!

Exchange & Lync

  • Best Practices for Virtualizing Microsoft Exchange Server 2010
  • Deep Dive: Coexistence between Microsoft Office 365 and Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2010 High Availability Deep Dive
  • Microsoft Exchange Server 2010: Troubleshooting Performance Issues

Office, Office 365 & SharePoint

  • Security Design with Claims Based Authentication

Security & Identity

  • Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server “8”
  • How to (un)Destroy Your Active Directory: Reloaded
  • Managing and Extending Active Directory Federation Services
  • Planning, Designing, and Deploying a Highly Available AD RMS Infrastructure
  • Windows Server “8” Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT
  • Windows Server “8” Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies
  • Windows Server 8 Dynamic Access Control Overview

Events