News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Admins, heads up! Another Patch Tuesday security hole has a public exploit

    Home Forums AskWoody blog Admins, heads up! Another Patch Tuesday security hole has a public exploit

    Viewing 6 reply threads
    • Author
      Posts
      • #2171120 Reply
        woody
        Da Boss

        A week ago today, I warned those of you running SQL Server systems to install the latest Patch Tuesday patches. In particular, CVE-2020-0618 was crack
        [See the full post at: Admins, heads up! Another Patch Tuesday security hole has a public exploit]

        2 users thanked author for this post.
      • #2171382 Reply
        PerthMike
        AskWoody Plus

        The Master Patch List for Exchange doesn’t list anything beyond November 2019 for Exchange…?

        No matter where you go, there you are.

        • This reply was modified 1 month, 1 week ago by PerthMike.
        • #2171458 Reply
          StoopidMonkey
          AskWoody Plus

          Hi PerthMike,

          The reason for this, and this is something I just realized YESTERDAY, is that as of Exchange 2013 you no longer receive cumulative updates from WSUS or Microsoft Update. You have to download them from Microsoft manually through this site:

          https://docs.microsoft.com/en-us/Exchange/new-features/updates?view=exchserver-2019

          Woody and/or Patch Lady, if you can spell that out in a fresh post I bet a LOT of admins will be surprised to hear that they haven’t received any CU updates since their initial Exchange 2013-2019 install!

      • #2171436 Reply
        Ghosties
        AskWoody Plus
        • #2171444 Reply
          jabeattyauditor
          AskWoody Lounger

          Yes. Update rollup 30 fixes this issue, along with others.

          1 user thanked author for this post.
      • #2171560 Reply
        dportenlanger
        AskWoody Lounger

        ****Caution Exchange 2016 Installs *****

        Exchange 2016 CU15 applied fine.  The patch KB4536987 broke OWA and killed search across the boards in the web client and desktop client.  Uninstalling the KB brought OWA back.  Stopping the search services and deleting the indexes brought the search back.

        Exchange 2016 users should test before installing on production servers.

        Please let me know how your update went.

        • #2172171 Reply
          dportenlanger
          AskWoody Lounger

          To answer my own question …… I guess I thought I was admin……I had better double check on the next attempt.  According to the article:
          When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.
          When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working.

          This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

          • #2172276 Reply
            dportenlanger
            AskWoody Lounger

            Final notes:  Updating through Windows Update works better than downloading the patch manually.  If you have WSUS, just approve the patch and apply it.  It can be installed while the server is running.  Then, pick a reboot time and you will be golden.

            If you do decide to use the manual patch, follow the directions explicitly.

      • #2171806 Reply
        PerthMike
        AskWoody Plus

        Hi PerthMike,

        The reason for this, and this is something I just realized YESTERDAY, is that as of Exchange 2013 you no longer receive cumulative updates from WSUS or Microsoft Update. You have to download them from Microsoft manually through this site:

        https://docs.microsoft.com/en-us/Exchange/new-features/updates?view=exchserver-2019

        Woody and/or Patch Lady, if you can spell that out in a fresh post I bet a LOT of admins will be surprised to hear that they haven’t received any CU updates since their initial Exchange 2013-2019 install!

        Well yeah, but I’m not looking for a CU, I’m looking for the bi-monthly/quarterly security updates that Microsoft was still posting via WSUS, etc. Those were being used by MS to patch emergency issues like this.

        Those suddenly seem to have stopped as of September.

        I can’t be applying a full CU every quarter, taking my server down for a couple of hours, and hoping that this “service pack” doesn’t break more than it fixes.

        No matter where you go, there you are.

      • #2171808 Reply
        PerthMike
        AskWoody Plus

        ****Caution Exchange 2016 Installs *****

        Exchange 2016 CU15 applied fine.  The patch KB4536987 broke OWA and killed search across the boards in the web client and desktop client.  Uninstalling the KB brought OWA back.  Stopping the search services and deleting the indexes brought the search back.

        Exchange 2016 users should test before installing on production servers.

        Please let me know how your update went.

        Grrr… Dear Microsoft, medium business doesn’t have capacity for a “lab environment” to test such c****y updates.

        And if KB4536987 breaks OWA and search, that means that the issue is still unresolved by Microsoft, right? Greaaaaaaaat!

        No matter where you go, there you are.

      • #2171946 Reply
        zat_so
        AskWoody Plus

        We tried to install the update for Exchange Server 2013 (Security Update For Exchange Server 2013 CU23 (KB4536988), but it wouldn’t install. We are running it on Windows Server 2012 R2, and that OS is not listed as a supported OS under System Requirements.

        Supported Operating System

        Windows Server 2008 R2 SP1, Windows Server 2008 R2, Windows Server 2012, Windows 7 Professional 64-bit, Windows Server 2008 R2 Standard

    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Admins, heads up! Another Patch Tuesday security hole has a public exploit

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.