New security updates for Exchange Server

Microsoft has released new security updates for Exchange 2010 to Exchange 2016. Specifically, it concerns this vulnerability:

This security update resolves a vulnerability in Microsoft Exchange Outlook Web Access (OWA). The vulnerability could allow privilege escalation or spoofing attacks in Microsoft Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange Server.

Source: Notes on the security update for Microsoft Exchange

The associated CVEs can be found here:

• CVE-2017-8559 | Microsoft Exchange Cross-Site Scripting Vulnerability
• CVE-2017-8560 | Microsoft Exchange Cross-Site Scripting Vulnerability
• CVE-2017-8521 | Scripting Engine Memory Corruption Vulnerability

 

All 3 gaps are classified as "Important".

Corresponding updates can be downloaded here:

• Update rollup 18 for Exchange Server 2010, Service Pack 3 (KB4018588)
• Security Update For Exchange Server 2013 SP1 (KB4018588)
• Security Update For Exchange Server 2013 CU16 (KB4018588)
• Security Update For Exchange Server 2016 CU5 (KB4018588)