Childs points to two other ZDI discoveries of Exchange vulnerabilities, one in 2018 and another in 2020, that were actively exploited by hackers even after the bug was reported to Microsoft and patched. The Security Podcast dangerous business A recent episode titled “It’s ExchangeHog Day” refers to the terrifying cycle of vulnerability disclosures and subsequent patching that servers require.
When WIRED reached out to Microsoft for comment about its Exchange security issues, Anchal Gupta, corporate vice president of the Microsoft Security Response Center (MSRC), responded with a comprehensive list of measures the company has taken to mitigate, patch, and harden. On premise Exchange Server. She noted that Microsoft quickly issued updates in response to Tsai’s findings that partially blocked the vulnerabilities he disclosed before the company announced a full fix in August. Gupta further wrote that the MSRC “worked around the clock” to help customers update their exchange servers during last year’s hafnium attacks, released numerous security updates for the exchange throughout the year, and also launched an exchange emergency mitigation service, which automatically assists customers. Apply security mitigations to block known attacks on Exchange servers before full patches are available.
Still, Gupta agreed that most customers should move from on-premise Exchange servers to Microsoft’s cloud-based email service, Exchange Online. “We strongly recommend that customers migrate to the cloud to take advantage of real-time security and instant updates to keep their systems protected from the latest threats,” Gupta said in an emailed statement. “Our work continues to support on-premises customers moving to a supported and updated version, and we strongly advise customers who cannot keep these systems up-to-date to migrate to the cloud.”
If email administrators are, in fact, having trouble fully patching Exchange, Trend Micro’s Childs says it’s largely due to the complexity of installing Exchange updates, the age of its code and the risk of breaking functionality by changing interdependent mechanisms. software. Security researcher Kevin Beaumont, for example, recently Live-tweeted my own experience updating an Exchange server, documenting the numerous bugs, crashes, and hiccups in the process, which took him nearly three hours, even though the server was updated months ago. “It’s a difficult and difficult process, so people don’t patch their on-premise exchanges, even though there are active attacks,” says Childs. “So there are patched bugs that are taking forever to fix, and there are also unpatched bugs that have yet to be fixed.”
Another problem with the security of an on-premise exchange is that vulnerabilities found in its software are often particularly easy to exploit. Exchange bugs are no more common than vulnerabilities in Microsoft’s Remote Desktop Protocol, says Marcus Hutchins, an analyst at security firm CryptoLogic. But they are more reliable to use because, even though the Exchange server hosts the email locally, it is accessed through a web service. And issuing commands to a web server through an online interface is a more reliable form of hacking than methods like so-called memory corruption vulnerabilities, which involve changing data in a low-level and less predictable part of the target machine. “It’s basically a very fancy web exploit,” Hutchins says. “There’s no such thing as a server crash if you do it wrong. It’s very stable and easy.”