Microsoft is urging all Exchange Server customers to apply security updates immediately after new vulnerabilities have been discovered. Microsoft’s security updates have been released just a month after the active exploitation of Microsoft Exchange Server vulnerabilities by Hafnium, this was thought to have impacted over 60,000 organizations. Wandera strongly recommends that organizations implement Zero Trust security to cloak vulnerable applications and mitigate the impact of future attacks.

In this article:

  1. Microsoft security updates for April information
  2. Exchange Server’s recent security vulnerabilities
  3. How to apply Microsoft’s security updates
  4. How to prepare for future threats

Microsoft security updates for April information

In this month’s Patch Tuesday (April 13th) Microsoft released their latest security update, containing fixes for Microsoft Exchange Server, Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, and Visual Studio. Interestingly the update contains fixes for four new Microsoft Exchange Server flaws just a month after four other major vulnerabilities in the service were revealed to be actively exploited.

“These vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized” – CISA

The Cybersecurity and Infrastructure Security Agency (CISA) has issued instructions to all federal agencies to mitigate the threat. The emergency directive requires all federal agencies to apply Microsoft’s security updates by 12:01 am Friday April 16th, and the National Cyber Security Centre highly recommends that private enterprises do the same. Now that the security update has been released, the underlying vulnerabilities can be reverse engineered to create an exploit. Based on guidance from multiple government’s cybersecurity departments IT teams should act immediately to deploy the updates.

Exchange Server’s recent security vulnerabilities 

The security update patch vulnerabilities for 114 Common Vulnerabilities and Exposures (CVE), including 19 that are rated as critical. Of special note are the Microsoft Exchange Server vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) which are the highest-rated CVEs listed in the update. CVEs are rated on a 0-10 scoring system called Common Vulnerability Scoring System (CVSS) which rates the severity of each vulnerability. Two of the Exchange Server vulnerabilities are rated at 9.8, higher than the exchange bugs discovered last month.

Microsoft Security Update for April list of vulnerabilities

While the new vulnerabilities are not being used as part of any known attack these vulnerabilities have been rated ‘Exploitation More Likely’ using Microsoft’s Exploitability Index. Development of exploits is especially likely as Microsoft Exchange Servers are widely deployed and manage powerful privileges.

How to apply Microsoft’s security updates

Security updates can be downloaded for all Microsoft product families through their website. Updating Exchange Servers will be of primary concern for many organizations, unfortunately however there is not a straightforward upgrade path. Servers will need to be running specific Cumulative Update (CU) versions for the Security Update (SU) to be applied.

Required CU:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU19 and CU20
  • Exchange Server 2019 CU8 and CU9

Administrators can download the Exchange Server Health Checker script from GitHub to gather an inventory of Exchange Servers and identify if CU or SU need to be applied. Full instructions on how to install CU and SI can be found in Microsoft’s documentation.

How to prepare for future threats

The high number of vulnerabilities in Microsoft’s Exchange Server should be a concern to IT and security professionals, particularly those that allow unauthenticated users and devices to gain access. As demonstrated by the Hafnium attacks, exploits can be used to indiscriminately attack organizations regardless of their size, industry or location.

While software bugs will always require updates to keep systems and businesses secure, proactive mitigation can also be implemented. Zero Trust is a security model that can prevent unauthenticated users and devices from connecting to corporate applications, effectively stopping attacks before they begin. Additionally, enforcing the Zero Trust principle of least-privilege access limits the potential impact of unwanted access.

Microsoft Security Updates and Zero Trust

The five principles of Zero Trust

Wandera’s software-defined Zero Trust solution utilizes Single Packet Authorization technology, which cloaks applications, making them invisible to outsiders. To learn more about Zero Trust and how to prevent attacks before they begin, get in contact with one of our security experts.