Microsoft releases security updates for Exchange Server
Published 8 March 2021
Microsoft has released several security updates for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks.
Targeted attacks often employ similar methods found in traditional online threats. These include malicious emails, compromised or malicious sites, exploits, and malware. Targeted attacks differ from traditional online threats in many ways and are typically conducted as campaigns, which makes them hard to detect.
“Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem,” the Redmond-based giant said in a blog post.
The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected, the post added.
The versions affected are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.
These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.
Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.
We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated, Microsoft noted.
Recently, Canadian manufacturer Bombardier suffered a cyber attack, which adds to the growing list of companies and governments who are under stress.
For further information and guidance, view the full update notice on Microsoft here: