Microsoft Exchange update fixes security flaws, breaks other stuff
Flawed patch stops on-premises, hybrid server transport rules in their tracks for some
Microsoft is pausing the rollout of an Exchange security update after it became clear that the patch could break transport rules for some customers.
The November 2024 Security Updates deal with various vulnerabilities in Microsoft's email server. While Exchange Online is already protected, customers using Exchange in a hybrid mode or fully on-premises must install the patches.
That is, unless the patches are abruptly pulled. On November 14, Microsoft admitted that customers with their own transport or data loss protection (DLP) rules found that the transport rules were "stopping periodically" after the update was installed. The company then "temporarily paused the rollout" of the update.
Some affected users have reported that, in a worst case scenario, email may stop flowing altogether. Obviously implementation varies widely from org to org, and only a subset of users are affected. Microsoft has noted that "Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update."
The Register contacted Microsoft for more detail on the failure modes and we will update this article should the company respond."
The mail must flow
DLP focuses on securing critical information in Exchange Server, with DLP policies being simple packages containing a collection of transport rules. Transport rules, also known as mail flow rules, are similar to those used in Outlook, governing actions on mail as it arrives in a user's mailbox. The main difference is that the rules are applied to messages in transit before they are delivered to the user.
Transport rules are helpful for enterprises since they can enforce compliance and deal with mail exceptions before a user lays eyes on the message. They can inspect attachments, add prefixes to message subjects, insert disclaimers into message bodies, and perform other functions. Assuming, of course, the rules are actually working.
- Microsoft Power Pages misconfigurations exposing sensitive data
- Microsoft finally releases a direct-download Windows 11 on Arm ISO
- Microsoft 365 Copilot goes monthly for a 5% premium and annual commitment
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday
Social media forums, such as Reddit, were abuzz with complaints about transport rules failing to function after the security update was installed. Some users reported a temporary restoration of functionality after restarting the service, but the issue recurred. Microsoft's advice to affected users is to uninstall the update and await a re-release.
Microsoft deserves credit for quickly pulling the faulty update, though it clearly needs to reevaluate its testing practices – Exchange's transport rules function is key for many organizations, and breaking such a critical function with a mandatory security update reflects poorly on the Windows giant's quality control.
Microsoft has urged organizations to protect Exchange Servers from cyberattacks by keeping them updated with the latest security updates. Exchange's problematic security was a factor in delaying the next version until 2025. ®