WSUS, Exchange 2010, and the WebReady fix

On July 31 I wrote about the increasing complexity of software engineering, illustrated by how a bug in a software library owned by Oracle and licensed to Microsoft for inclusion in Exchange 2007 and Exchange 2010 ended up causing a potential security issue. Microsoft moved quickly and fixed the bug in Exchange 2010 SP2 RU4 and Exchange 2007 SP3 RU8, released on August 14. Many articles duly followed to assess the contents of these roll-up updates, including two on the EHLO blog, one of which discussed the change to the way that calendar and task items are processed by the Managed Folder Assistant (MFA) after Exchange 2010 SP2 RU4 is deployed. As is my wont, I followed up with an article giving my thoughts on the MFA change.

The task of documenting the regular roll-up updates done, thoughts turned to other issues until a tweet arrived from Paul Bendall, who observed:

”I am not sure if you are aware but the security vulnerability relating to WebReady document viewing for Exchange and discussed in MS12-058 has a horrible implication. Those who use WSUS to deploy security updates or manually apply MS12-058 will be inadvertently applying Exchange 2010 SP2 RU4 as the security vulnerability doesn’t have a standalone update and instead requires RU4 to be deployed. To be honest I can’t believe the product team have done this as many IT Security departments will be scanning for this critically rated vulnerability and insisting Exchange Admins deploy the ‘patch’ or admins inadvertently apply RU4 believing they are just patching for the vulnerability. In my own environment I have escalated a support case with my TAM & DSE and I’d encourage anyone else to do the same as this very severe implications both now and going forward”

I hadn’t put two and two together and there was no warning or other commentary from the Exchange team to inform administrators about the tie-up between the Microsoft Security Bulletin and the need to deploy RU4, something that is a little curious.

By this stage, everyone should be aware of the need to carefully analyze an Exchange roll-up before deploying the software into a production environment simply to make sure that its deployment has no negative effect on servers. This is especially true now that Microsoft commonly incorporates new functionality and features into roll-up updates that would only have been shipped in service packs in the past. In this instance, rushing to deploy Exchange 2010 SP2 RU4 because a security bulletin advised that this was necessary to close off a potential security vulnerability could have serious ramifications if you’ve already deployed retention policies in your organization. No one wants to be at the end of a support line when users report that part of their calendar has disappeared!

In defense of the Exchange team, they followed corporate guidelines by marking RU4 as including a fix for a known security problem, which is the reason why WSUS picks up RU4 and wants to install it. The Exchange team also advised people that RU4 fixed the WebReady vulnerability through the EHLO blog. I guess an assumption was present that people would put the two together and understand that because RU4 contained a security fix, it was a candidate for automatic WSUS installation. As I proved, this isn’t always the case.

It’s genuinely difficult for administrators to keep up with roll-up updates that appear every six weeks. The upside, however, is that if you can manage to test and deploy roll-up updates reasonably soon after they appear, you’ll know that your servers run the latest and greatest software and are therefore less likely to cause problems. And because each roll-up update is a cumulative release that contains all previous fixes, it’s a reasonable tactic to deploy every second update if this approach fits better with your organization’s maintenance strategy.

I guess that the episode provides us with a lesson in that we should be better at remembering all the bits that go together to maintain what is becoming an increasingly complex software environment. Or maybe just go to the cloud... a friendly salesperson told me that everything is easier when floating on clouds, so it must be true!

Follow Tony @12Knocksinna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.