Microsoft Exchange Server has been intermittently making the headlines since news broke out last month that the software is under attack from state-sponsored groups. Since then, the company has released several patches and advisories recommending users to update their on-premises instances of Exchange Server to protect themselves against attacks. In fact, just a couple of weeks ago, the Redmond tech giant released security patches following reports of vulnerabilities by the National Security Agency (NSA). Today, it has published a detailed advisory of why it is important that you keep your Exchange Server up to date.
In a blog post, Microsoft highlighted that when it released security updates (SU) last month, it found out that many customers could not install the patches because they were not running a supported Cumulative Update (CU). With new threats emerging from time to time, it is important that your organization enrolls itself in a continuous process of making sure that its Exchange Server environments are not only supported but up to date as well.
The company has indicated that for Exchange Server versions currently enjoying mainstream support, the latest two CUs are supported, which means that they will be eligible for security updates. This frame acts as a sliding window once new CUs are released.
While it may be common sense, Microsoft has emphasized that updates to fix issues is a "good" thing. To that end, CUs are released on a quarterly basis while SUs are usually rolled out on a Patch Tuesday, if security issues have been discovered and fixed. CUs already contain all the fixes from the SUs released previously. The company recommends that you plan a maintenance schedule to keep your Exchange Server instances up to date and protected from vulnerabilities.
Microsoft has also outlined several steps to update your Exchange Server and perform maintenance activities even in very busy schedules. The firm went on to say that:
Microsoft recommends that you apply all available security updates because it can be difficult to understand how even lower severity vulnerabilities disclosed in one month might interact with vulnerabilities disclosed and fixed a month later. An attack may trigger only specific low-impact functionality on a remote target machine and nothing else, causing the scoring for the CVE to be quite low one month. For example, in the following month an important issue with that functionality could be discovered, but it might be only triggered locally and require significant user interaction. That on its own might also not be scored highly. But if your software is behind in updates, these two issues could combine into an attack chain, thereby scoring at critical levels.
Lastly, Microsoft has also provided recommendations for customers who work with third parties, are in Hybrid mode, or are dependent on multiple teams to apply CUs to Exchange Server. You can find out more details by heading over to the advisory here.