Zero-day vulnerabilities identified in Microsoft Exchange

Zero-day vulnerabilities identified in Microsoft Exchange

Microsoft has just released a series of patches for zero-day vulnerabilities within on-premise versions of Microsoft Exchange Server.

Microsoft Exchange is a critical part of (almost) every organisation’s IT infrastructure. Time was this news would have had us all reaching for our latest Cumulative Updates. But these vulnerabilities only affect on-premise deployments – Exchange Online is not affected – and I’m sure those who’ve already moved online are now allowing themselves a self-satisfied sigh of relief.

What to do
The vulnerabilities exist in on-premise Exchange Servers 2010, 2013, 2016, and 2019. I re-iterate, Exchange Online is not affected.

To patch the vulnerabilities, you need to deploy the latest Exchange Cumulative Updates. Then install the relevant security updates on each Exchange Server. Prioritise servers which are accessible from the internet, such as those publishing Outlook on the web and the Exchange Control Panel (ECP).   

Microsoft advises using the Exchange Server Health Checker script (you can download the latest release from GitHub) to check if you’re behind on your on-premises Exchange Server updates (NB it doesn’t support Exchange Server 2010). You can also assess whether the vulnerabilities were being exploited with these useful Indicators of Compromise.

With that all done, you can take a breather and ask yourself whether it might be worth moving to Exchange Online? No on-premise hardware to manage and no software to upgrade or manage.

I spend most of my time talking to customers, and would be happy to talk you through the pros and cons others have seen in the on-premise and Online versions.   

If you’d like to discuss Exchange Online, please get in touch through your account manager.