Childs points to two other ZDI findings about the Exchange vulnerability, one in 2018 and another in 2020, were actively exploited by hackers even after the bugs were reported to Microsoft and patched. Security Podcasts Business risk went as far as to title a recent episode.”It’s Exchangehog dayRefers to the terrible cycle of vulnerability disclosure and subsequent patching that the servers require.
When WIRED reached out to Microsoft for comment on its Exchange security issues, Aanchal Gupta, corporate vice president of Microsoft’s Security Response Center (MSRC), responded with a full list of requests. Measures the company has taken to mitigate, patch, and enhance-on-premise Exchange servers. She noted that Microsoft quickly released updates in response to Tsai’s findings that partially blocked the vulnerabilities he exposed before the company released a full fix in August. Gupta added that MSRC “worked around the clock” to help customers update their Exchange servers amid last year’s Hafnium attacks, released multiple security updates to Exchange during the year, and even rolled out more Launched Exchange Emergency service, which helps customers automatically apply security mitigations to block known attacks on Exchange servers even before a full patch is available.
However, Gupta agrees that most customers should switch from on-premises Exchange servers to Microsoft’s cloud-based email service, Exchange Online. “We highly recommend customers move to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said. said in an emailed statement. “Our work to help on-premises customers migrate to supported and updated versions continues, and we strongly recommend that customers who are unable to update these systems migrate to the cloud.”
In fact, if email admins are having trouble keeping Exchange fully patched, Trend Micro’s Childs says it’s largely due to the complexity of actually installing Exchange updates, both due to the age of the code and the risk of breaking functionality by changing interdependencies in the software. Security researcher Kevin Beaumont, for example, recently directly tweeted his experience of updating the Exchange server. “It’s been a tough and arduous process, so despite the aggressive attacks, people aren’t patching their Exchange on-premises,” Childs said. “So there are patched bugs that take forever to be fixed, and there are also unpatched bugs that remain unfixed.”
Another issue that further complicates Exchange’s security woes arises from the fact that vulnerabilities found in its software are often particularly vulnerable to exploitation. Marcus Hutchins, an analyst with security firm Kryptos Logic, says the Exchange bug is no more common than the one in Microsoft’s Remote Desktop Protocol. But they are much more reliable to use because, despite the fact that the Exchange server stores email locally, it is accessed through a web service. And passing commands via an online interface to a web server is a much more reliable form of hacking than methods like so-called memory vulnerabilities, which have to change data at the low level. more and less predictable of the targeted machine. “It’s basically a very interesting way of web mining,” says Hutchins. “It’s not something that will crash the server if you do it wrong. It is very stable and simple. “
