Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


This security update resolves a vulnerability in Microsoft Exchange Outlook Web Access (OWA). The vulnerability could allow elevation of privilege or spoofing in Microsoft Exchange Server if an attacker sends an email message that has a specially crafted attachment to a vulnerable server that is running Exchange Server. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-11932 and ADV170023.

Improvements and fixes

This security update was released to address a known issue in security update 4036108 in which customers that are using split DNS may encounter problems that affect Calendar Sharing. This update removes the fix for this vulnerability. 

Known issues

  • We are aware of some reports that Exchange services may remain in a disabled state after you install this security update. If this occurs, the update is installed correctly. However, the service control scripts encounter a problem when they try to return Exchange services to its usual state. To resolve this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually.

  • When you try to manually install this security update in "normal mode" (not running the update as an administrator) and by double-clicking the update file (.msp), some files are not correctly updated. When this issue occurs, you do not receive an error message or any indication that the security update is not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using UAC (user account control). The issue occurs because the security update does not correctly stop certain Exchange-related services. To avoid this issue, run the security update in elevated mode as an administrator. To do this, right click the update file, and then click Run as administrator.

How to get and install the update

Method 1: Microsoft Update

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

More Information

Security update deployment information

For deployment information about this update, see security update deployment information: December 12, 2017

Package name

Package hash SHA 1

Package hash SHA 2

E16CU7 Exchange2016-KB4045655-x64-en.msp



E16CU6 Exchange2016-KB4045655-x64-en.msp



E15CU18 Exchange2013-KB4045655-x64-en.msp



E15CU17 Exchange2013-KB4045655-x64-en.msp



File information

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!