Exchange 2016 CU16

News

Cumulative Update 16 for Exchange 2016 is now available. It contains 2 security updates and 13 additional documented new fixes or improvements, as well as all previously released fixes and security updates for Exchange 2016 and the latest DST updates.

Notable improvements, changes and fixes are;

  • KB4547706: Birthday isn’t correctly synced to iOS native mail app.
  • KB4547711: Public folder permissions aren’t applied from Outlook.
  • KB4547713: IsOnlineMeeting is always false for Teams-only meetings.
  • KB4547723: Can’t sign in to Office 365 if configuring hybrid with Chrome SameSite Cookie enabled.
  • KB4536987: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020 which discusses CVE-2020-0692 and CVE-2020-0688. These updates were released separately for CU15 as well.

This release includes no new updates to the Active Directory Schema.
The next planned quarterly update is in June 2020. 

Download: Cumulative Update 16 for Exchange Server 2016 (KB4537678) (not yet available at the time of writing)
Download: Exchange Server 2016 CU16 UM Language Packs (not yet available at the time of writing)
View: Description of Cumulative Update 16 for Exchange Server 2016
View: Blog post of the Exchange Team about CU16 for Exchange Server 2016


Sperry Software
Use "BH93RF24" to get a discount when ordering!

Outlook 2016 / 2019 / 365 Update for March 2020

News

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.

It contains 4 security updates for Word.

No fixes were mentioned for any of the Outlook versions but a new Semi-Annual (Targeted) version has been released (Version 2002) which will become the Semi-Annual version in July.

Based on your release channel, you’ll be updated to the following version;

  • Office 365, Outlook 2016 Retail, Outlook 2019 Retail
    Version 2002 (Build 12527.20278)
  • Office 365 Semi Annual (Targeted)
    Version 2002 (Build 12527.20278)
  • Office 365 Semi Annual
    Version 1908 (Build 11929.20648)
    Version 1902 (Build 11328.20554) 
  • Outlook 2019 Volume License
    Version 1808 (Build 10357.20081)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.


Outlook 2016 (MSI) Update for March 2020

News

A Rollup Update has been released for Outlook 2016. This is a non-security update which contains the following documented improvements fixes.

  • Fixes an issue that causes the user selection for the hash algorithm not to persist.
  • Fixes an issue that causes crashes when users run rules on certain email messages.
  • Fixes an issue in which Outlook sometimes crashes when you view calendar sharing requests by having “Read all standard mail in plain text” turned on.
  • When you send a meeting request that contains attachments, the attachments may be duplicated in the calendar items. This issue occurs when Outlook runs against an Office 365 account in Online mode.
  • Fixes an issue that causes Outlook to use an excessive amount of CPU when you view the calendar window and resize the window to a narrower size.
  • Fixes an issue that causes some users to experience a crash.

View: Download information for KB4462111

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4978.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.


Exchange 2019 and 2016 Security Updates for March 2020

News

Security updates have been released for Exchange 2016 and Exchange 2019.

  • CVE-2020-0903: Microsoft Exchange Server Spoofing Vulnerability
    A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected server.
    The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the Exchange server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
    The security update addresses the vulnerability by helping to ensure that Exchange Server properly sanitizes web requests.

View: Description of the security update for Microsoft Exchange Server 2019 and 2016: March 10, 2020
Download: Security Update For Exchange Server 2019 CU4 (KB4540123)
Download: Security Update For Exchange Server 2019 CU3 (KB4540123)
Download: Security Update For Exchange Server 2016 CU15 (KB4540123)
Download: Security Update For Exchange Server 2016 CU14 (KB4540123)


Outlook for Office 365 Feature Update for February 2020

News

Microsoft has just released the February feature update of Outlook for Office 365 (Monthly Channel) and it comes with 1 new feature for Outlook and 6 fixes.

  • Updates to the Outlook Folder Pane
    The new folder list that is coming with Aesthetic v1 will have an update look & feel and Groups will be elevated to the same hierarchy as Folders and Favorites.
  • Addresses an issue that caused commas in the location field of a meeting to turn into semicolons.
  • Addresses an issue that could result in a crash when viewing the same item in multiple windows.
  • Addresses an issue that caused the option to disable flagged item highlighting to fail to be respected in some scenarios.
  • Addresses an issue that caused Outlook to unexpectedly sync all mail even when the sync slider is set to a smaller setting.
  • Addresses an issue that caused users with Black Theme to see the “From” dropdown show white text on a white background.
  • This change restores the ability to view multi-line subjects in the message header.

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2002 (Build 12527.20194).


Outlook 2016 / 2019 / 365 Update for February 2020

News

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.

It contains 3 security updates for Outlook (1), Excel (1) and Office (1). Details about the Outlook vulnerabilities;

  • CVE-2020-0696: Microsoft Outlook Security Feature Bypass Vulnerability
    A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats. The security feature bypass by itself does not allow arbitrary code execution. However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code.
    To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted URI with an affected version of Microsoft Outlook software.
    The security update addresses the vulnerability by correcting how Microsoft Outlook handles the parsing of URI formats.

In addition, it contains 2 documented non-security fixes for Outlook Monthly, 6 for Semi-Annual 1908 (including Targeted) and 1 for Semi-Annual 1902. Most notable fixes are;

  • Monthly: Addresses an issue that caused users to experience a crash when canceling account setup.
  • Monthly and Semi-Annual 1908: Addresses an issue that caused users to experience a crash when specifying an invalid From address.
  • Semi-Annual 1908: Addresses an issue that caused users to have problems problems with shared calendar folders syncing to the OST, resulting in permission errors when they try to interact with these folders.
  • Semi-Annual 1908: Addressed an issue that caused users to experience a hang at the Loading Profile screen when Outlook is starting up.
  • Semi-Annual 1902: Addresses an issue that caused users to encounter encryption algorithm is not supported errors when sending an encrypted email.

Based on your release channel, you’ll be updated to the following version;

  • Office 365, Outlook 2016 Retail, Outlook 2019 Retail
    Version 2001 (Build 12430.20264)
  • Office 365 Semi Annual (Targeted)
    Version 1908 (Build 11929.20606)
  • Office 365 Semi Annual
    Version 1908 (Build 11929.20606)
    Version 1902 (Build 11328.20526)
    Version 1808 (Build 10730.20438)
  • Outlook 2019 Volume License
    Version 1808 (Build 10356.20006)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.


Outlook 2016 (MSI) Security Update for February 2020

News

A Security Update has been released for Outlook 2016. It resolves the following vulnerability;

  • CVE-2020-0696: Microsoft Outlook Security Feature Bypass Vulnerability
    A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats. The security feature bypass by itself does not allow arbitrary code execution. However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code.
    To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted URI with an affected version of Microsoft Outlook software.
    The security update addresses the vulnerability by correcting how Microsoft Outlook handles the parsing of URI formats.

This update also contains 3 additional fixes or improvements for non-security issues;

  • Adds the ability to prevent Outlook from connecting to a mailbox that uses basic authentication by using the DisableBasic registry key.
  • Large blank spaces appear between the first and second columns in the contact item after an East Asian language pack is applied to Outlook.
  • Outlook may stop responding when you create a rule from a Skype for Business “missed conversation” message.

View: Download information for KB4484250

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4966.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.


Outlook 2013 Security Update for February 2020

News

A Security Update has been released for Outlook 2013. It resolves the following vulnerability;

  • CVE-2020-0696: Microsoft Outlook Security Feature Bypass Vulnerability
    A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats. The security feature bypass by itself does not allow arbitrary code execution. However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code.
    To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted URI with an affected version of Microsoft Outlook software.
    The security update addresses the vulnerability by correcting how Microsoft Outlook handles the parsing of URI formats.

View: Download information for KB4484156

Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5215.1000.


Outlook 2010 Security Update for February 2020

News

A Security Update has been released for Outlook 2010. It resolves the following vulnerability;

  • CVE-2020-0696: Microsoft Outlook Security Feature Bypass Vulnerability
    A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats. The security feature bypass by itself does not allow arbitrary code execution. However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code.
    To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted URI with an affected version of Microsoft Outlook software.
    The security update addresses the vulnerability by correcting how Microsoft Outlook handles the parsing of URI formats.

View: Download information for KB4484163

Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7245.5000.


Exchange 2019, 2016, 2013 and 2010 Security Updates for February 2020

News

Security updates have been released for Exchange 2010, Exchange 2013, Exchange 2016 and Exchange 2019.

  • CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability
    A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
    Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
    The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.
  • CVE-2020-0692: Microsoft Exchange Server Elevation of Privilege Vulnerability
    An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users.
    Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to change parameters in the Security Access Token and forward it to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
    To address this vulnerability, Microsoft has changed the way EWS handles these tokens.
    This vulnerability does not apply to Exchange 2010.

The updates for Exchange 2010 and Exchange 2013 also contain the following fix;

  • KB4540267: MSExchangeDelivery.exe or EdgeTransport.exe crashes in Exchange Server 2013 and Exchange Server 2010

View: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020
View: Description of the security update for Microsoft Exchange Server 2013: February 11, 2020
View: Description of the security update for Microsoft Exchange Server 2010: February 11, 2020
Download: Security Update For Exchange Server 2019 Cumulative Update 4 (KB4536987)
Download: Security Update For Exchange Server 2019 Cumulative Update 3 (KB4536987)
Download: Security Update For Exchange Server 2016 Cumulative Update 15 (KB4536987)
Download: Security Update For Exchange Server 2016 Cumulative Update 14 (KB4536987)
Download: Security Update For Exchange Server 2013 CU23 (KB4536988)
Download: Update Rollup 30 for Exchange Server 2010 SP3 (KB4536989)