Microsoft Re-releases Several Exchange Update Rollups Due to Code Signing Issue
Microsoft has discovered that digital certificates used to sign some files in recent Update Rollups for Exchange Server 2010 and Exchange Server 2007 will expire prematurely, some as soon as the next couple of months. This was documented in a recent Security Advisory. As a result, Microsoft has released corrected versions of Update Rollup 4 for Exchange Server 2010 SP2, Update Rollup 7 for Exchange Server 2010 SP1, and Update Rollup 8 for Exchange Server 2007 SP3. For the most part, nothing from a code or functionality/feature set changes, with the exception of Update Rollup 4 for Exchange Server 2010 SP2. That rollup includes a fix for a problem with Outlook 2010 and 2013 where only one result is returned when clicking “view all results”. That fix, from KB 2756987, is now included. All of these Update Rollups, dubbed the “V2” of each, are now available for download at the links below.
When installing these Update Rollups, it is not required to uninstall the original version.
Microsoft has noted in another Advisory from Security Research and Defense that this isn’t an Exchange issue, and is reissuing other recent releases as well. This includes some security patches. I suggest you read that advisory to see how it may impact other systems in your environment.
Microsoft has also released a WinVerifyTrust package to verify that the issue is resolved. Download the appropriate version if you’d like to ensure you’re safe.
It’s also important to know that some third-party applications and solutions may display unexpected results if they query these incorrect time stamps. As a result it’s recommended that you install the v2 versions even if you already have the original v1 version installed. Microsoft states: “We encourage all customers to apply the re-released, re-signed security updates as they become available. As an additional defense-in-depth measure, we recommend that customers also apply the updated WinVerifyTrust package which serves as an effective way for Windows and Microsoft applications to extend the validity period of these packages beyond the premature expiration date. We should be clear that the re-released, re-signed security updates by themselves are sufficient to address the potential compatibility issue and the WinVerifyTrust package is not strictly necessary – it is offered as a defense-in-depth option to customers who want to ensure that this issue does not affect them between now and the time they apply the updated security updates.”
This latest blunder doesn’t give Exchange IT professionals a warm fuzzy feeling. This is the latest in a string of bungled releases that have had to be released due to some problem. While I applaud Microsoft in identifying and correcting the issue without trying to hide it, I have to wonder if it’s safe to install any patches for fear they may further break an Exchange environment. A long-standing belief that many have is to not install RTM software – wait till the first service pack comes out. I’ve never held on to that, but Microsoft sure isn’t doing much in the public eye to help rid that believe. Let’s hope this is a lesson learned and this type of public humiliation for Microsoft doesn’t become any more of a pattern.