ENow Blog | Exchange Center

The Latest Security Updates for Microsoft Exchange Servers

Written by AmyKelly Petruzzella | Jul 29, 2021 12:43:23 PM

When it comes to cybersecurity, the threat landscape over the last 12 months has never been more complex and challenging. During Microsoft’s annual partner event, Microsoft Inspire, a strong emphasis was put on trust and security. According to Microsoft, they have been busy thwarting and tracking the following:

  •  
  • 30B email threats intercepted and thwarted
  • 31B authentication attacks intercepted and thwarted
  • 40+ active nation-state actors currently tracked
  • 140+ threat groups currently tracked
Exploiting known security vulnerabilities is one key way bad actors compromise organizations and users. As new flaws are discovered, hackers always have plenty of fresh meat from which they can carry out attacks against vulnerable products. Of course, individual organizations can protect themselves by addressing known security vulnerabilities with patches that providers, such as Microsoft, release to their customers. But often that task falls by the organization wayside. Whether due to lack of time or staff or resources, many organizations fail to patch critical security flaws before it's too late. And that failure is something criminals count on.

Our ambition at ENow is to help every organization adopt a zero-trust architecture, while also reducing the complexities, costs, and risks. This article describes the most recent security updates to Microsoft Exchange 2016 and Exchange 2019. You can use the information in this article to verify the version of Microsoft Exchange Server that is running in your organization.

Description of the security update for Microsoft Exchange Server 2019: July 13, 2021 (KB5004780)

Security Update 1 for Exchange Server 2019 Cumulative Update 10 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):

  •  

Security Update 3 for Exchange Server 2019 Cumulative Update 9 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):

  •  
  • CVE-2021-31196 | Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-31206 | Microsoft Exchange Server Remote Code Execution Vulnerability
  • The Exchange Server version number is now added to the HTTP response reply header. You can use this information to validate the security update status of Exchange-based servers in your network.

Important: To be able to successfully install this security update, you must first follow the steps in this article to make sure that the server authentication certificate is present and is not expired. If the OAuth certificate is not present or is expired, republish the certificate before you install this update




  • Issue 1

    When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.

    When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.

    This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

    Note: This issue does not occur if you install the update through Microsoft Update.

    To avoid this issue, follow these steps to manually install this security update:

    1. Select Start, and type cmd.
    2. In the results, right-click Command Prompt, and then select Run as administrator.
    3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
    4. Type the full path of the .msp file, and then press Enter.
  • Issue 2

    Exchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state.

    To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.
  • Issue 3

    When you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.

To get the standalone package for this update, go to the Microsoft Update Catalog website.

You can get the standalone update package through the Microsoft Download Center.

  •  

For deployment information about this update, see security update deployment information: June 13, 2021.

This security update replaces the following previously released updates:

  •  

Description of the security update for Microsoft Exchange Server 2016: July 13, 2021 (KB5004779)

Security Update 1 for Exchange Server 2016 Cumulative Update 21 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):

  •  

Security Update 3 for Exchange Server 2016 Cumulative Update 20 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):

  •  

Important: To be able to successfully install this security update, you must first follow the steps in this article to make sure that the server authentication certificate is present and is not expired. If the OAuth certificate is not present or is expired, republish the certificate before you install this update.

  •  
  • Issue 1

    When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.

    When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.

    This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

    Note: This issue does not occur if you install the update through Microsoft Update.

    To avoid this issue, follow these steps to manually install this security update:
    1. Select Start, and type cmd.
    2. In the results, right-click Command Prompt, and then select Run as administrator.
    3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
    4. Type the full path of the .msp file, and then press Enter.
  • Issue 2

    Exchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state.

    To fix this issue, use Services Manager to restore the startup type to Automatic , and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.
  • Issue 3

    When you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.

To get the standalone package for this update, go to the Microsoft Update Catalog website.

You can get the standalone update package through the Microsoft Download Center.

  •  
For deployment information about this update, see security update deployment information: July 13, 2021.

This security update replaces the following previously released updates:

  •  

Exchange Hybrid and Office 365 Monitoring and Reporting

On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.

Access your free 14-day trial of ENow’s Exchange Hybrid and Office 365 Monitoring and Reporting today!