Yesterday we released Exchange Server quarterly servicing Cumulative Updates (for Exchange 2013/2016/2019) and Rollup Update (for Exchange 2010) for all supported versions of Exchange Server.
Few highlights were,
- These updates have the fixes to mitigate the zero day and related vulnerabilities.
- An architectural change to EWS Push notification authentication – this change addresses the EWS Vulnerability.
- KB4490060 outlines the details of the changes made.
- Customers who rely upon Push Notifications, should understand the important changes made.
- EWS Pull and Streaming Notifications functionality are unchanged by today’s updates.
- The change in Push Notification authentication is a permanent change to the product and necessary to protect the security of an Exchange Server.
- Changes in the latest cumulative updates, described in KB4490059, reduce the scope of objects where Exchange is able to write security descriptors in the directory.
For more info, please refer the detailed EHLO blog post and its guidance.