Description of the security update for Microsoft Exchange: March 13, 2018

Applies to: Exchange Server 2013 Service Pack 1Exchange Server 2016 Enterprise EditionExchange Server 2013 Enterprise


This security update resolves a vulnerability in Microsoft Exchange Outlook Web Access (OWA). The vulnerability could allow elevation of privilege or spoofing in Microsoft Exchange Server if an attacker sends an email message that has a specially crafted attachment to a vulnerable server that is running Exchange Server. To learn more about these vulnerabilities, see the following Microsoft security advisories:

Known issues

  • When you try to manually install this security update by double-clicking the update file (.msp) to run it in "normal mode" (that is, not as an administrator), some files are not correctly updated.

    When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

    To avoid this issue, follow these steps to manually install this security update:

    1. Select Start, select All Programs, and then select Accessories.
    2. Right-click Command prompt, and then select Run as administrator.
    3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
    4. Type the full path of the .msp file, and then press Enter.

    This issue does not occur when you install the update from Microsoft Update.

  • Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update from an elevated command prompt. For more information about how to open an elevated command prompt, visit the following Microsoft webpage: Start a Command Prompt as an Administrator

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

More Information

Security update deployment information

For deployment information about this update, see security update deployment information: March 13, 2018

File hash information

Package name Package hash SHA 1 Package hash SHA 2
CU18 Exchange2013-KB4073392-x64-en.msp 123155E0C90ECB9A9D0A3E09C9171862E3EC9F24 D15A7C31264D16E70CAF0328856C896FAAE4C5132E1F619A21685D80F6DF6BF6
CU19 Exchange2013-KB4073392-x64-en.msp 6EECBC619E7CDA53BDAB87358BD76256E8405F05 8AF9FD258F31BA93EA48C4851ADE72BF13AFA9431F61A51B1A57EBF36F64E539
SP1 Exchange2013-KB4073392-x64-en.msp CD296F9A1136C882F949937B4057EF76C63C7C43 BA6BD6FB2E5B7008D2A2A885DC722CC3AD2E31C9C8FC7E4CEEB4402EB589C841
CU7 Exchange2016-KB4073392-x64-en.msp B98AF503C75B88BDD0CBD6AF3C04EEF1E0847FB9 5C509B9516E63527E9E3A14C078FE9E5CDB01FD6A5BBF5661EF69A9CB84B8B67
CU8 Exchange2016-KB4073392-x64-en.msp 59F5539CA29F6396999EFC39D1B5FFD02BB0832F BCAB4C55B7ABED7E124BCC978DE6092119460E80D174357F0C62B11DBECC866A

File information

The English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

How to get help and support for this security update

Help for installing updates: Windows Update FAQ

Security solutions for IT professionals: Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure

Local support according to your country: International Support