Skip to main content

Microsoft withdraws Exchange security update hours after release

Microsoft has been forced to quickly withdraw a security update for Exchange Server 2013 after the patch broke the message content indexing function meaning that users could not search their mailboxes.

"Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013," Microsoft employee Ross Smith said in a blog post.

"Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed."

Microsoft has advised those who haven't already against installing the update, meaning the botched release of the patch may have left mailbox's open to attack through the vulnerability it was designed to fix.

The critical security bulletin released on Tuesday said the bug could allow remote code execution of the Exchange server. To help defend against the vulnerability, Smith recommends following workaround steps identified in the Vulnerability Information – Oracle Outside in Contains Multiple Exploitable Vulnerabilities section of the original MS13-061 security bulletin as a temporary fix.

Users who have already installed the update will need to apply a workaround to fix the problem. This involves the editing of registry keys to set the value of the DisplayName registry entry to "Microsoft Exchange Search Host Controller". A full explanation can be found on Microsoft's support page.

The update has caused no reported problems with Exchange 2007 and 2010, so users of the older versions should go ahead with installation.

"If you already installed MS13-061 on Exchange 2007 and or 2010 it looks like you should be good to go as the issue does not seem to occur with those versions," explained Ziv Mador, Director of Security Research at Trustwave.