Microsoft Makes Exchange Server Patches Less Optional

Microsoft Exchange is a frequent target of hackers, and often the attack vector is a well known vulnerability that a company just hasn’t gotten around to patching.

To try to deal with that problem, Microsoft is doing what a lot of other software vendors may start doing: making applying fixes a lot less optional.

In the September 2021 Cumulative Update (CU), the software giant has added a new feature called the Microsoft Exchange Emergency Mitigation (EM) service. The EM service installs automatically with the CU and may automatically disable features or functionality on an Exchange server as threats arise.

The EM service can be disabled, but that’s kind of the point: A server admin would need to actively disable the service; otherwise it will apply mitigations as threats arise.

How Exchange Mitigation Works

The EM service checks the cloud-based Office Config Service (OCS) for available mitigations every hour. The service then downloads a signed XML file containing the mitigation configuration settings and validates the signature to verify that the XML was not tampered with by checking the issuer, the Extended Key Usage, and the certificate chain. After successful validation, the EM service applies the mitigation.

Microsoft notes that “Each mitigation is a temporary, interim fix until you can apply the Security Update that fixes the vulnerability. The EM service is not a replacement for Exchange SUs. However, it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before updating.”

The EM service can apply 3 types of mitigations:

  • IIS URL Rewrite rule mitigation, which is a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server
  • Exchange service mitigation, which disables a vulnerable service on an Exchange server
  • App Pool mitigation, which disables a vulnerable app pool on an Exchange server

Admins have visibility and control over any applied mitigation through PowerShell cmdlets and scripts.

The service requires the IIS URL Rewrite Module and Universal C Runtime in Windows (KB2999226) and users will be prompted to install them if needed.

Exchange Server Security Tools

Microsoft has released a number of security tools this year to better protect Exchange servers.

This latest release comes just days after news that an Exchange Autodiscover flaw leaked nearly 100,000 unique Windows domain credentials.

VMware vCenter Vulnerability Exploited

Microsoft is hardly the only software vendor whose publicly disclosed vulnerabilities are being exploited. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned that a VMware vCenter Server vulnerability reported last week is already under attack.

An attacker with network access to port 443 can exploit the vulnerability (CVE-2021-22005) to execute code on vCenter Server – which malicious actors are already attempting.

“Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code,” the agency said. “Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.”

The CISA notice also urges a number of mitigation steps.

Further reading:

Paul Shread
Paul Shread
eSecurityPlanet Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including award-winning articles on endpoint security and virtual data centers. He wrote a column on small business technology for, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification. In a previous life he worked for daily newspapers, including the Baltimore Sun, and spent 7 years covering the federal government. Al Haig once compared him to Bob Woodward (true story - just ask Google).

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles