Exchange Server Quarterly Servicing updates, changes, zero day vulnerability fixes released

This post has been republished via RSS; it originally appeared at: MSDN Blogs.

Yesterday we released Exchange Server quarterly servicing Cumulative Updates (for Exchange 2013/2016/2019) and Rollup Update (for Exchange 2010) for all supported versions of Exchange Server.

Few highlights were,

  • These updates have the fixes to mitigate the zero day and related vulnerabilities.
  • An architectural change to EWS Push notification authentication – this change addresses the EWS Vulnerability. 
  • KB4490060 outlines the details of the changes made.
  • Customers who rely upon Push Notifications, should understand the important changes made.
  • EWS Pull and Streaming Notifications functionality are unchanged by today’s updates.
  • The change in Push Notification authentication is a permanent change to the product and necessary to protect the security of an Exchange Server.
  • The Exchange team has determined a change in the Active Directory rights granted to Exchange Servers using the default Shared Permissions Model is in order.
    • Changes in the latest cumulative updates, described in KB4490059, reduce the scope of objects where Exchange is able to write security descriptors in the directory.
  • Exchange Server 2010, 2013, 2016 and 2019 all receive an update package.
  • Learnt about Shared Permissions vs Split permissions model
  • For more info, please refer the detailed EHLO blog post and its guidance.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.