The massive SolarWinds hack last year affected many companies and government institutions but, all throughout, Microsoft insisted that its infrastructure wasn’t used to propagate the vulnerability. The company, however, would face its own security problem when its Exchange servers would become part of another massive hacking incident. The company has been scrambling to patch up those holes that go back to Exchange Server 2013 but, so that it won’t leave such critical matters in customers’ hands, it is now enabling automatic patching of Exchange servers without user intervention.
It was just earlier this month when it was disclosed the Microsoft’ Exchange Servers had at least four critical flaws that allowed hackers to monitor and steal emails. Considering how vital Microsoft Exchange has become in businesses and governments around the world, the consequences of these vulnerabilities were nothing short of dramatic, especially considering the narrative surrounding the issue.
Microsoft did release patches upon public disclosure but Krebs on Security reported that the company knew about the security flaws at least as far back as January. It was implied that it didn’t move fast enough, even going as far as delaying its fix for the usual Patch Tuesday. Fortunately, the severity of the flaw convinced it otherwise.
Microsoft, however, now faces the problem of customers not applying the comprehensive Security Update it has already provided. In order to make sure that these Exchange Servers are still minimally protected, Microsoft will be automatically applying a patch to mitigate the most critical vulnerability out of four flaws identified, the one that is used as a gateway to the other three. Customers and administrators need not do anything on their end as the mitigation will be automatically installed but they do need to still keep a few things in mind.
First, this automatic mitigation will only happen for those who have automatic updates turned on. If not, they should at least install the security intelligence update build 1.333.747.0 or later. More importantly, this doesn’t actually protect Microsoft Exchange Servers completely and customers will still have to apply the Comprehensive Security Update for the whole package.