(Image source: Wikipedia)
On March 2, 2021, Microsoft released a set of out of band security updates for critical vulnerabilities that were discovered in Microsoft Exchange servers and are being used in targeted attacks. The affected versions are Microsoft Exchange Server 2013 / 2016 / 2019
To apply the security update, the Exchange server needs to be on the latest (or the one before) cumulative update (CU) or Service Pack (SP) for Exchange 2010.
The updates can be downloaded from here:
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
After deploying these security updates on our clients Exchange servers, here are a few notes and recommendations for a successful installation:
- Prepare your users or clients for downtime, more downtime will be required if you need to update the Exchange server to the latest CU before applying the security updates.
- Install missing Windows updates before installing the latest CU. This is not required but just a recommendation to have the server with the latest available updates and the server rebooted before applying the CU.
- On Exchange 2016, when installing the latest CU, you might get an error that .NET Framework 4.8 is required, so install .NET Framework v4.8 before applying the latest CU.
- To install the security updates, you need to run the update file (.msp) as Administrator (Right-click > Run as Administrator.) on Exchange 2013 / 2016 / 2019. You might see that you don’t have that option when right-clicking the file. To run it as an administrator, open PowerShell as Administrator and navigate to the location where you downloaded the security update and run it via PowerShell. Not doing so might cause the Exchange services to stay in a Disabled state.
- On Exchange 2013, you might get a repeated warning that the IIS Worker process (with its PID) needs to be stopped to install the security update. When you try to stop/end that process in Task Manager, you’ll see that other IIS Worker processes are created, and the security update installation will give you a warning again if you click Retry. This is happening because of IIS Application Pools. Go to IIS Manager > Application Pools and stop all application pools. Then go back to Task Manager and stop/end all IIS Worker processes. Once no new IIS Worker processes are being created, retry the security update installation.
- Hafnium Targeting Exchange
- Microsoft on the Issues
- Exchange Team Blog