Microsoft pulls Exchange security updates over mail delivery issues

Microsoft has pulled the November 2024 Exchange security updates released during this month's Patch Tuesday because of email delivery issues on servers using custom mail flow rules.

The company announced it pulled the updates from Windows Update and the Download Center following widespread reports from admins saying that email had stopped flowing altogether.

This issue affects customers using transport rules (also known as mail flow rules) or data loss protection (DLP) rules, which will stop periodically after installing the November Exchange Server 2016 and Exchange Server 2019 security updates.

While mail flow rules filter and redirect emails in transit (just as Outlook inbox rules for emails that have already landed in the user's mailbox), DLP rules prevent sensitive information from being accidentally shared or leaked outside an organization.

"We are continuing the investigation and are working on a permanent fix to address this issue. We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update," Redmond said.

Microsoft also advised admins who see mail flow issues to uninstall the buggy November security updates until re-released. However, those who don't use transport or DLP rules and have not run into this issue can continue using their up-to-date Exchange servers.

Warnings on emails abusing spoofing flaw

This week, Microsoft also disclosed a high-severity Exchange Server vulnerability (CVE-2024-49040) that can let attackers forge legitimate senders on incoming emails to make malicious messages much more effective.

"The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport," Microsoft explained, warning that the security flaw could be used in spoofing attacks targeting Exchange servers.

"The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate."

While Microsoft has not patched the vulnerability and will still accept emails with these malformed headers, Redmond says servers will now detect and prepend a warning to malicious emails after installing the Exchange Server November 2024 Security Update (SU).

​Microsoft fixed four zero-days during the November 2024 Patch Tuesday fixes, two actively exploited in attacks and three publicly disclosed.

It also addressed four critical vulnerabilities, including two remote code execution flaws and two elevations of privileges bugs.