[German]In January 2019, Microsoft released the KB4471389 security update for Exchange Server 2013, 2016, and 2019. On some systems, however, the update causes installation errors, which may render the Exchange Server unusable.
Advertising
The reason for this article is a reader's tip to the editorial staff of German magazine heise.de, who then sent it to me to provide a statement. In cooperation with heise.de, I'll post the topic here within my blog in advance – maybe there will be other people affected, feedback and other findings.
Jan. 2019 Security Update KB4471389
Security update KB4471389 closes a vulnerability in Microsoft Exchange software that allows remote code execution if the software does not properly process objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code in the context of the system user. An attacker could then install programs, view, modify, or delete data, or create new accounts. KB4471389 is available as a cumulative update for different versions of Exchange Server:
- Security Update For Exchange Server 2013 CU21 (KB4471389)
- ecurity Update For Exchange Server 2016 CU10 (KB4471389)
- Security Update For Exchange Server 2019 (KB4471389)
This update is also available for download in Microsoft Update Catalog. An overview can also be found in this blog post.
Exchange Killer Security Update KB4471389
German user Steven K. observed, that installing this Security Update is sending his Exchange Servers out of operation. At the end of the day he was forced to run an install repair, to bring Exchange back to life. Steven K. wrote:
The security update KB4471389 was automatically installed on our Exchange Server 2016 without the administrator's intervention (via Windows Update, automatic installation disabled).
The update failed during installation and caused all Exchange services to be disabled. The manual start of the services and the extended troubleshooting didn't work and caused the HTTP Error 404.
Uninstalling the update was also not possible and aborted after about 45 minutes after several attempts. A manual reinstallation of the update failed even after a short time.
A search on the Internet shows that the problem has already occurred with several users and Microsoft does not admit to the problem. Also the Microsoft support could not help us and is run out of ideas.
The security update KB4471389 installation was forced by Microsoft, according to the user. After the update installation, Exchange Server 2016 no longer works. The only way to solve the problem was a repair installation.
Advertising
Other sources for the same problem
I searched the internet for KB4471389 and issues, and came across several websites where installation issues were reported.
- This Spiceworks post reports a failed installation at Exchange Server 2019.
- On German site administrator.de is this post, wo where the Exchange 2019 update also failed.
- On Technet there is this thread, where a failed installation at Exchange Server 2016 is complained.
- On reddit.com there is this thread, which also reports a failed (automatic) installation.
There, those affected complain that the Exchange services unfortunately no longer start after the failed installation. The only thing they could do was to install an old backup.
A known issue with update KB4471389
For update KB4471389 Microsoft has published this KB article, which also lists an installation abort under known problems.
When you try to manually install this security update by double-clicking the update file (.msp) to run it in "normal mode" (that is, not as an administrator), some files are not correctly updated.
When this issue occurs, you don't receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn't correctly stop certain Exchange-related services.
This termination occurs if the installation on systems with User Account Control (UAC) is not executed with administrative privileges, e.g. by double-clicking the update file. Then the installer cannot stop the Exchange services. Microsoft suggests that you start the update manually by choosing Run as administrator.
For me, the Microsoft KB article does not explain why a cumulative Exchange Server update, which is to be installed by the Windows Update service, fails due to missing permissions. Something was screwed up by Microsoft.
In this Spiceworks thread there is a hint that the above Microsoft tutorial does not help. If the installation of the update KB4471389 failed, services seem to be corrupted – so that only a backup of the Exchange install may help to bring the server back to life.
A few more hints
When I got this message, the thought 'there was something there' went through my mind. In August 2018, I had discussed issues with Exchange Server 2016 Update KB4340731 within my blog post Issues with Exchange Server 2016 Update KB4340731. This blog post was based on an administrator's experience report. He reports installation errors and issues with security update KB4340731. Within the thread at administrator.de somebody mentioned a script to reactivate the inactive Exchange services after the update. Within the thread, however, there was a hint that not all services can be activated in any circumstances.
I found also this (German) blog post from 2016, which describes the processes involved in installing a cumulative update. This post provides a possible explanation: When installing a cumulative update, all Exchange services and dependent services are set to "Disabled". The reason is to avoid a collision with the installation routines during the installation of the rollup (it's by design).
However, if the installer does not run with administrative permissions, it cannot stop the services. Then the update installation goes wrong, and the services are no longer started afterwards, the Exchange services are no longer accessible.
This reddtit.com thread refers to a blog post from 2014. It deals with the problem that Exchange 2013 suddenly does not allow access to OWA or ECP after an 'event'. The article suggests a few repair steps to get the Exchange Server up and running again. If this helps with the above problem, I can't judge – I don't have any shares in Exchange Server.
Final question: Was anyone affected by the problems? Are there any known causes other than the above or alternative repair instructions?
Similar articles:
Microsoft Security Advisory ADV190007 for Exchange Server
AD and Exchange Server vulnerable via EWS API
Issues with Exchange Server 2016 Update KB4340731
Vulnerability in Exchange Server 2010-2019
Issues with Exchange Server 2016 Update KB4340731
Advertising
As the KB4471389 says:
•When you try to manually install this security update by double-clicking the update file (.msp) to run it in "normal mode" (that is, not as an administrator), some files are not correctly updated.
When this issue occurs, you don't receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn't correctly stop certain Exchange-related services.
Run the update in admin mode to avoid the problem. Same goes to all CUs as well.
Yes, it is M$ fault that there wasn't any warnings when admins run the update in normal mode. They, admins, shouldn't run updates in normal mode as well.
It happened to me, too. Simply installed it through Windows Update, still broke my OWA, IIS.