Microsoft removes Exchange 2013 patch after users report problems

Microsoft has pulled one of the eight patches it released on Tuesday as part of its monthly security update after customers reported installation issues.

The MS13-061 fix, which addresses three publicly disclosed vulnerabilities in Exchange Server, was scrapped after Microsoft became aware that installing it caused problems specific to the 2013 environment. Neither Exchange 2007 or 2010 were affected.

"The content index for mailbox databases shows as 'failed' and the Microsoft Exchange Search Host Controller service is renamed," Ross Smith, Microsoft's principal program manager of the Exchange Server group said in a blog post.

The three bugs lie in the way Exchange files are processed by Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats.

For administrators that have already deployed the patch, Microsoft recommended applying the KB 2879739 workaround. For those who have not yet installed the fix, the software giant suggested they avoid it and instead follow the Exploitable Vulnerabilities portion of the original security bulletin.

Microsoft dispatched eight fixes for 23 vulnerabilities on Tuesday.

Three of the fixes were deemed 'critical' because they addressed bugs that all allowed remote code execution (RCE) after a user opened a malicious file or viewed an infected web page.

The highest-priority patch, MS13-059, resolves 11 vulnerabilities affecting Internet Explorer, from IE6 running on Windows XP to IE10 running on Windows 8 and RT tablets. The bulletin patched 'severe vulnerabilities' that could allow an attacker to obtain the same user rights as victims if they visit an infected web page.

A second critical bulletin, MS13-060, fixed one privately reported flaw in Unicode Scripts Processor, a Windows service used to render Unicode-encoded text.  If exploited, the bug could also allow a saboteur to remotely execute code after a user views a malicious document or web page using an application that supports embedded OpenType fonts.

Additional patches in the Microsoft update addressed bugs rated as 'important' that could allow attackers to carry out denial-of-service attacks and gain elevated rights privileges.

This article originally appeared at scmagazineuk.com