Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Government Microsoft United States

NSA Helps Out Microsoft With Critical Exchange Server Vulnerability Disclosures (theregister.com) 23

Posted by BeauHD from the time-to-update dept.
April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA). The Register reports: Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical. "This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post. "These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA. Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems. "NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks," the signals intelligence agency said via Twitter.
This discussion has been archived. No new comments can be posted.

NSA Helps Out Microsoft With Critical Exchange Server Vulnerability Disclosures More

NSA Helps Out Microsoft With Critical Exchange Server Vulnerability Disclosures

Comments Filter:

  • Shit's too complex these day. (Score:4, Insightful)

    by Anonymous Coward on Tuesday April 13, 2021 @08:56PM (#61270710)
    Attack surfaces light-years across, and a never-ending influx of useless features and additions. They'll be playing this game of whack-a-mole forever. Now get off my lawn.

  • The Cuckoo's Egg . . . (Score:3, Interesting)

    by PolygamousRanchKid ( 1290638 ) on Tuesday April 13, 2021 @08:57PM (#61270714)

    How come I am thinking that this . . . "patch" . . . contains more NSA backdoors . . . ?

    • Re: (Score:1, Interesting)

      by Narcocide ( 102829 )

      Because if they were gonna actually help us they would have helped 20 fucking years ago. The NSA is entirely staffed by willing participants in overt treason.

    • the important thing is that we all have each others backs as good americans - now Linkedin for 500m more and then : "we will bring a de-centralized ID to the belgian governments, they should be gullible enough, after that last stunt with Merkel , germany might be a little less inclined but let's start in brussels, the new-islamic state, capital of europe ! sounds like a plan
      did they patch linkedin too ?

  • Bill them. (Score:5, Interesting)

    by Gravis Zero ( 934156 ) on Tuesday April 13, 2021 @09:04PM (#61270736)

    Honestly, if a government agency is helping a massive for-profit company then I sure as hell hope they are billing them for it. Also, that bill should be at least eight figures.

    • Let's see it more as a 'Quid Pro Pro' thing.

    • Re:Bill them. (Score:5, Insightful)

      by Voyager529 ( 1363959 ) <voyager529@ya[ ].com ['hoo' in gap]> on Wednesday April 14, 2021 @07:02AM (#61271598)

      Honestly, if a government agency is helping a massive for-profit company then I sure as hell hope they are billing them for it. Also, that bill should be at least eight figures.

      I think there's more than one way to look at it. The NSA isn't helping Microsoft, it's helping the thousands of American taxpayers who manage Exchange servers, and the millions more American taxpayers who are employed by companies who utilize Exchange servers. Microsoft may have gotten the code and the ability to deploy it, but the patches help Microsoft customers more than the company itself.

      Moreover, as of this comment (about noon GMT on April 14), there isn't a known attack using this Exchange hack just yet. If compromised Exchange servers are used for ransomware deployment, a certain number of companies will pay hackers hundreds of thousands of dollars. If allowed to wait until after a known vulnerability is being utilized, the down time for remediation can cost thousands or millions of dollars. If a vulnerability is exploited and compromised Exchange servers are used as a point of entry to then attack government institutions, the consequences of a successful attack could be devastating.

      The NSA helping Microsoft get ahead of the curve so that patches can be deployed before a massively scripted exploit, rather than after like in March, is, as far as I'm concerned, my tax dollars actually being used for something helpful.

      • I think there's more than one way to look at it. The NSA isn't helping Microsoft, it's helping the thousands of American taxpayers who manage Exchange servers, and the millions more American taxpayers who are employed by companies who utilize Exchange servers.

        I understand this but if they are finding fatal flaws then the NSA should be making recommendations to not use that product.

    • There is, obviously, considerable room for doubt regarding the present implementation; but in principle that's (one of) the things that Microsoft paying taxes is supposed to help cover.

      Putting a direct fee-for-service price tag on state security functions gets dicey pretty quickly: there's the externalities issue(many people aside from Microsoft benefit from either not having their mailservers hacked or having fewer hacked mailservers spamming and phishing them, so if you tie the amount of work you do pu

  • Doing their job (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 13, 2021 @09:05PM (#61270738)

    About time. Pro-tip: we like it when you work for us, and not against us.

  • And I'm here to help.

    • Re:I'm from the government (Score:4, Insightful)

      by gtall ( 79522 ) on Wednesday April 14, 2021 @05:03AM (#61271498)

      Reagan started the destruction of the Fed. Gov. Now we have anemic infrastructure, a toothless and underfunded IRS (over $1 Trillion in uncollected taxes per year), an EPA that was sold to private industry in the last alleged administration, a COVID infection run rampant because the last administration decided it was a public relations problem, one party running against the government arguing it doesn't work after spending the last 30 years making sure it doesn't work, neglect of science and what it has to say about dumping tons of CO2 and methane into the atmosphere, one party arguing that to win elections they must get the other party's members to not vote, etc.

      Now the U.S. must confront a rising China, global warming, a health care system that will bankrupt you if you have the gall to get a major disease, and one party claiming Jesus is coming to save us so we'd better get on with screwing up the planet faster so he'll come sooner.

      That's some legacy.

  • Looks like the NSA is the world's most skilled and best paid software QA department.

    Only, they don't work for software manufacturers! :-)

  • Public sector helping the private sector (Score:3)

    by OneHundredAndTen ( 1523865 ) on Wednesday April 14, 2021 @09:15AM (#61271806)
    Republicans must be up in arms.
  • This is equivalent to employees of the DMV contacting Boeing and helping them out with their 737 MAX problems.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close