by Michael B. Smith, MCSE/Exchange MVP

This week, Microsoft unleashed update rollup 3 for Exchange Server 2007 service pack 1 onto the world - on Patch Tuesday, along with a number of other 'important' security patches. This timing is no coincidence. Included in UR3 is a fix for an OWA security hole that can cause an elevation of privilege (MS08-039). This was also not a unique problem to SP1 - Microsoft also released UR7 for Exchange Server 2007 RTM (that is, the version without a service pack) and a hotfix for Exchange Server 2003 service pack 2 (earlier versions of Exchange 2003 are no longer supported) to correct the same issues.

The OWA fix actually addresses two security vulnerabilities - both of which are Cross Site Scripting (XSS) vulnerabilities. A XSS vulnerability is one where a bad-guy talks a user into visiting a web-page that contains a payload. This payload is generally some kind of programming - like javascript - that can do something nasty to the user's machine. It does this by finding a way to impersonate the user. Once that code impersonates the user, it basically has free reign to mess up a user's computer (well, as much as that particular user does - this is why Vista's UAC is a good thing!). If you want to know more about XSS, see the Wikipedia entry on it. Well, some smart guy (or security researcher, take your pick), found two problems in OWA where it was vulnerable to XSS payloads. UR3 closes those holes.

Of course, this is far from the only fix in UR3. A correction that is near-and-dear to me is a fix for the Import-Mailbox Exchange Management Shell cmdlets. Ever since the initial release of Exchange Server 2007, the IncludeFolders parameter for Import-Mailbox has been broken - specifying it would cause the cmdlets to crash. This has now been corrected. YAY! (This particular fix is described in KB 949549.)

There are also fixes for three common problems that I've seen discussed on various mailing lists and newsgroups:

•  If a delegate uses OWA to modify an appointment, the wrong time may be sent to meeting attendees.
• The Exchange 2007 Application Pool crashes and on restart causes all OWA sessions to reauthenticate.
• After an Authentication Timeout, OWA will generate a 404 on refresh (or if any buttons on the OWA window are clicked).

Because of the way Exchange 2007 does Update Rollups now - this is a big patch. As I examined the patch manifest, I was astounded - there are hundreds of files contained within the patch. At 34 MB in size, it's about 10 percent of the size of the full Exchange (English) release. Then I remembered that it's fully cumulative - all of the changes to everything since Service Pack 1 are included in UR3.

Obviously, this is a pretty important roll-up to roll-out.
However, I encourage you to keep a couple of things in mind:
If you have ANY OWA customizations, they will require rework.
There is still a problem with Exchange servers (such as mailbox servers behind a firewall) that cannot connect to the Internet experiencing a timeout when some services try to start the first time (see KB 944752 for a description of how to fix this)

Ensure that you install the roll-up with an account that has enough permission to do the install!

I have already seen a number of reports on the newsgroups where folks have tried to install UR3, and it SAID it installed, but because of permission issues it didn't actually install. This can cause any number of difficult to analyze problems.

So go on! Happy patching!
_____________________________________________________________________________________
Wikipedia - Cross-Site Scripting
http://en.wikipedia.org/wiki/Cross-site_scripting

MS08-039: Vulnerabilities in Outlook Web Access for Exchange Server could allow elevation of privilege
http://support.microsoft.com/kb/953747/

Update Rollup 3 for Exchange Server 2007 Service Pack 1 (KB949870)
http://www.microsoft.com/downloads/details.aspx?FamilyId=63E7F26C-92A8-4264-882D-F96B348C96AB&displaylang=en&displaylang=en

Error message when you import a .pst file by running the Import-Mailbox cmdlet in Exchange Server 2007: "Unable to make connection to the server"
http://support.microsoft.com/default.aspx/kb/949549/

Exchange 2007 managed code services do not start after you install an update rollup for Exchange 2007
http://support.microsoft.com/kb/944752/ 

It seems like a lot of Exchange sites support only OWA and a lot for those users would like to use Outlook instead but won't ask the administrator or don't believe him when the answer is "No", so they ask me if its possible.

My answer: It depends on how the server is configured.

If the web address you use to access OWA begins with HTTPS, you can use Outlook only if Outlook Anywhere (RPC over HTTP) is enabled. While you could try to find out on your own by using the OWA URL in the proxy settings, you should ask the Exchange administrator if its enabled and if so, what proxy address and authentication settings to use. It's much faster and less frustrating than experimenting with different settings.

When the web address is not secure (URL begins with HTTP://) you can configure it in Outlook 2003 and 2007 as an HTTP account type. However you will be limited to email as Calendar, Contacts, and Tasks are unusable.

Only Exchange server supports HTTP access through Outlook. Other web mail sources, such as Yahoo, do not support WebDAV and cannot be used in Outlook. You'll need POP3 or IMAP access to use them with Outlook.

An Outlook user asked me if its possible to define a search that will only show those messages that have a specific attachment type (file extension).

Outlook 2007's search capabilities are better than in previous versions, but not yet perfect, as a search like this shows. Instant search will narrow the field for you, but it will find all messages with the extension in the message body too. You can use the Instant search criteria of "Has Attachments" to show only messages with attachments, making it easier to browse the results for the correct message.

When you use an older version of Outlook, you'll need to be creative or use a third-party search tool. If the attachment name is in the email header (many are) you can use a rule to set a flag or category based on words in the header and use Run Rules Now to run it on the messages already downloaded. Then use a custom view or Advanced Find to show only that flag or category that meet the flag or category criteria. This is not 100% foolproof as it may miss attachments that are embedded in the message as the attachment name may not be included in the Internet header.

Search Tools
http://www.slipstick.com/addins/search.asp

If you use Zone Alarm and lost Internet connectivity after a recent Windows update, you'll need to download the new version of ZoneAlarm.

A link to the new version is at http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html 

For a temporary fix you can move the ZoneAlarm Internet Security zone slider to Medium or uninstall the Windows update.

If you're unfamiliar with how Exchange Server 2007 updates are numbered, KB articles referring to different rollup updates may leave you confused, such as the two released this week.

Exchange RTM and SP1 are considered different versions when it comes to updates and SP1 isn't a requirement or forced upgrade, yet. The rollup updates allow those sites who haven't yet installed SP1 to install the more critical updates and fixes without upgrading to SP1.

In either case, the rollup terminology means the updates installed with previous rollups are rolled into the latest one. This means if you need to install Exchange 2007 in the future you'll need only the last rollup released.