Microsoft releases security updates for Exchange Server following report by the NSA

In March, Exchange Server headlined the cybersecurity news section when it was discovered that it is under attack from state-sponsored groups. Microsoft was quick to release out-of-band updates for both supported and unsupported versions of Exchange, tools to break the attack chain, as well as advisories for customers. As a result of its efforts, hundreds of thousands of on-premises Exhange Server instances were patched against vulnerabilities. It is important to note that Exchange Online was not affected by this incident.

Now, Microsoft has released yet another set of security updates for Exchange Server to tackle newly discovered Remote Code Execution (RCE) vulnerabilities.

Microsoft Exchange logo monochrome with red outer glow on dark background

This time around, security updates are only available to Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9. If you're not on any of the aforementioned cumulative updates (CUs), Microsoft recommends that you first upgrade to a supported environment and then apply the security updates. Once again, Exchange Online customers do not need to do anything.

The Redmond tech giant says that the April 2021 security updates (SUs) patches RCE vulnerabilities that were privately reported to the firm by the National Security Agency (NSA). Although Microsoft's investigation indicates that the exploit is not being utilized by attackers, it still urges customers to apply the SU as quickly as possible.

It is important to note that since SUs are cumulative, customers who apply the April updates will also be protected against vulnerabilities reported in March. However, customers with SUs released in March are unprotected against these new security flaws. Microsoft has cautioned that unlike last time, it does not plan to release out-of-band SUs for unsupported versions of Exchange Server. There are 47 old CUs affected by this flaw and it's not possible for Microsoft to invest effort in releasing updates for all of them. As such, it recommends updating to a current environment in order to apply the updates. Finally, the company has also noted that SUs have not been released for Exchange Server 2010 as it is unaffected by the latest vulnerabilities. You can find out more about the updates by heading over to Microsoft's blog post here.

Report a problem with article
1605278783_screen-image-implant-63414fe7
Next Article

CDPR refuses to give up on Cyberpunk 2077, wants to sell it 'for years to come'

Screen grab from Samsung&039s teaser showing a man turning his back to face a box glowing in blue li
Previous Article

Samsung is set to hold another Galaxy Unpacked event on April 28

2 Comments - Add comment

Advertisement