With the latest Patch Tuesday updates rolled out to Windows devices, Microsoft has also released January 2023 updates for Exchange Server. Exchange Server 2013, 2016, and 2019 are covered in this rollout, with improvements and security patches made available across the board.
The latest Security Updates (SUs) resolve several security issues that were either discovered by Microsoft itself or were privately reported to it by partners. The Redmond tech giant says that it has found no evidence that suggests that these vulnerabilities were being exploited in the wild. You can download the SUs from the Update Catalog or through the links below:
- Exchange Server 2013 CU23 (support and updates end on April 11, 2023)
- Exchange Server 2016 CU23
- Exchange Server 2019 CU11 and CU12
Microsoft has also highlighted a major improvement it has made to its defensive perimeter by enabling certificate-based signing of PowerShell serialization payloads. The company explains that:
Serialization is the process of converting the state of an object into a form (stream of bytes) that can be persisted or transmitted to memory, a database, or a file. PowerShell, for example, uses serialization (and its counterpart deserialization) when passing objects between sessions. To defend Exchange servers against attacks on serialized data we’ve added certificate-based signing of PowerShell serialization payloads in the January 2023 SUs. In the first stage of rollout, this new feature must be manually enabled by an Exchange Server admin due to feature dependencies. This article details the steps to enable certificate-based signing of serialization data in Exchange Server. We have also released a script you can use to validate/create the required auth certificate in your organization or you can do it manually.
Microsoft has emphasized that you should only enable certificate-based signing after you have installed January 2023 SUs on all your Exchange Server instance. If you enable it before then, you might encounter failures across your workflows. For now, this feature needs to be manually enabled but Microsoft will turn it on by default in a future update.
Interestingly, there is also a known issue introduced in these updates. Basically, web page previews for URLs shared in the Outlook Web App (OWA) will not render correctly. Microsoft says that it will fix the problem in a "future update", but doesn't exactly specify when.