Update 2 (Wed 09 Sep 2020 08:57:56 PM MDT):
A subset of servers were missed last night, and our exchange host will require more updating.
We will begin these updates shortly; you may notice a reboot on your windows server, or some temporary delivery deferrals for our helpdesk.
Update 1 (Wed Sep 9 00:50:34 MDT 2020):
Automatic reboots of hosts in the discussed scope have begun, and will be occurring over the next few hours. We will monitor servers to ensure they come back up without incident.
Purpose of Work:
This patch Tuesday has a few highlights, in addition to various, less noteworthy security updates.
The first is a system-level RCE vulnerability affecting all recent versions of exchange server, which we will be mitigating on our internal server ASAP, overnight. https://portal.
The second is an RCE vulnerability affecting all supported versions of windows server. This one leverages a COM interaction with Javascript, and thus could affect any RDS server or webserver where a user or application pool might end up opening a maliciously crafted file: https://portal.msrc.
This would result in code being run as the identity of whatever user opened said file.
The third is an RCE vulnerability affecting Server 2016 and up that leverages how Microsoft Windows Codecs Library handles objects in its memory. Again, webservers and RDS servers would be particularly vulnerable to this: https://portal.msrc.
Standalone hypervisors would be a general exception to this, and customer-owned Windows HVs that host unmanaged VMs, but also run Windows 2012+ should have their maintenance scheduled with us, separately.
Customers with their own update infrastructure will also be scheduled separately.
We will update you as maintenance begins.
Impact of Work:
Our exchange host will be rebooted a few times tonight to propagate security fixes. This may interfere with our ability to send and receive mail intermittently, while patches are being applied.
All affected hosts will be rebooted automatically / ASAP to propagate fixes, starting at 11:30PM on 9/8/20.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.
Any hosts not on our fully-managed domain (usually because they have their own domain) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.
