This week, Microsoft unleashed update rollup 3 for Exchange Server 2007 service pack 1 onto the world - on Patch Tuesday, along with a number of other “important” security patches. This timing is no coincidence. Included in UR3 is a fix for an OWA security hole that can cause an elevation of privilege (MS08-039). This was also not a unique problem to SP1 - Microsoft also released UR7 for Exchange Server 2007 RTM (that is, the version without a service pack) and a hotfix for Exchange Server 2003 service pack 2 (earlier versions of Exchange 2003 are no longer supported) to correct the same issues.

The OWA fix actually addresses two security vulnerabilities - both of which are Cross Site Scripting (XSS) vulnerabilities. A XSS vulnerability is one where a bad-guy talks a user into visiting a web-page that contains a payload. This payload is generally some kind of programming - like javascript - that can do something nasty to the user’s machine. It does this by finding a way to impersonate the user. Once that code impersonates the user, it basically has free reign to mess up a user’s computer (well, as much as that particular user does - this is why Vista’s UAC is a good thing!). If you want to know more about XSS, see the Wikipedia entry on it. Well, some smart guy (or security researcher, take your pick), found two problems in OWA where it was vulnerable to XSS payloads. UR3 closes those holes.

Of course, this is far from the only fix in UR3. A correction that is near-and-dear to me is a fix for the Import-Mailbox Exchange Management Shell cmdlets. Ever since the initial release of Exchange Server 2007, the IncludeFolders parameter for Import-Mailbox has been broken - specifying it would cause the cmdlets to crash. This has now been corrected. YAY! (This particular fix is described in KB 949549.)

There are also fixes for three common problems that I’ve seen discussed on various mailing lists and newsgroups:

Because of the way Exchange 2007 does Update Rollups now - this is a big patch. As I examined the patch manifest, I was astounded - there are hundreds of files contained within the patch. At 34 MB in size, it’s about 10 percent of the size of the full Exchange (English) release. Then I remembered that it’s fully cumulative - all of the changes to everything since Service Pack 1 are included in UR3.

Obviously, this is a pretty important roll-up to roll-out.

However, I encourage you to keep a couple of things in mind:

1. If you have ANY OWA customizations, they will require rework.

2. There is still a problem with Exchange servers (such as mailbox servers behind a firewall) that cannot connect to the Internet experiencing a timeout when some services try to start the first time (see KB 944752 for a description of how to fix this)

Ensure that you install the roll-up with an account that has enough permission to do the install!

I have already seen a number of reports on the newsgroups where folks have tried to install UR3, and it SAID it installed, but because of permission issues it didn’t actually install. This can cause any number of difficult to analyze problems.

So go on! Happy patching!