Microsoft Makes Exchange Server Patches Less Optional

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Microsoft Exchange is a frequent target of hackers, and often the attack vector is a well known vulnerability that a company just hasn’t gotten around to patching.

To try to deal with that problem, Microsoft is doing what a lot of other software vendors may start doing: making applying fixes a lot less optional.

In the September 2021 Cumulative Update (CU), the software giant has added a new feature called the Microsoft Exchange Emergency Mitigation (EM) service. The EM service installs automatically with the CU and may automatically disable features or functionality on an Exchange server as threats arise.

The EM service can be disabled, but that’s kind of the point: A server admin would need to actively disable the service; otherwise it will apply mitigations as threats arise.

How Exchange Mitigation Works

The EM service checks the cloud-based Office Config Service (OCS) for available mitigations every hour. The service then downloads a signed XML file containing the mitigation configuration settings and validates the signature to verify that the XML was not tampered with by checking the issuer, the Extended Key Usage, and the certificate chain. After successful validation, the EM service applies the mitigation.

Microsoft notes that “Each mitigation is a temporary, interim fix until you can apply the Security Update that fixes the vulnerability. The EM service is not a replacement for Exchange SUs. However, it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before updating.”

The EM service can apply 3 types of mitigations:

  • IIS URL Rewrite rule mitigation, which is a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server
  • Exchange service mitigation, which disables a vulnerable service on an Exchange server
  • App Pool mitigation, which disables a vulnerable app pool on an Exchange server

Admins have visibility and control over any applied mitigation through PowerShell cmdlets and scripts.

The service requires the IIS URL Rewrite Module and Universal C Runtime in Windows (KB2999226) and users will be prompted to install them if needed.

Exchange Server Security Tools

Microsoft has released a number of security tools this year to better protect Exchange servers.

This latest release comes just days after news that an Exchange Autodiscover flaw leaked nearly 100,000 unique Windows domain credentials.

VMware vCenter Vulnerability Exploited

Microsoft is hardly the only software vendor whose publicly disclosed vulnerabilities are being exploited. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned that a VMware vCenter Server vulnerability reported last week is already under attack.

An attacker with network access to port 443 can exploit the vulnerability (CVE-2021-22005) to execute code on vCenter Server – which malicious actors are already attempting.

“Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code,” the agency said. “Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.”

The CISA notice also urges a number of mitigation steps.

Further reading:

Paul Shread Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required