Microsoft Says Two New Exchange Zero-Day Bugs Under Active Attack, But No Immediate Fix (techcrunch.com) 12
Microsoft has confirmed two unpatched Exchange Server zero-day vulnerabilities are being exploited by cybercriminals in real-world attacks. From a report: Vietnamese cybersecurity company GTSC, which first discovered the flaws part of its response to a customer's cybersecurity incident, in August 2022, said the two zero-days have been used in attacks on their customers' environments dating back to early-August 2022. Microsoft's Security Response Center (MRSC) said in a blog post late on Thursday that the two vulnerabilities were identified as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker. "At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems," the technology giant confirmed. Microsoft noted that an attacker would need authenticated access to the vulnerable Exchange Server, such as stolen credentials, to successfully exploit either of the two vulnerabilities, which impact on-premise Microsoft Exchange Server 2013, 2016 and 2019. Microsoft hasn't shared any further details about the attacks and declined to answer our questions. Security firm Trend Micro gave the two vulnerabilities severity ratings of 8.8 and 6.3 out of 10.
Re: (Score:1)
also why was o365 having all sort of issues yesterday.
Probably some giant campaign to get the "bitter clingers" off Exchange and into the M$ $ubscription corral.
Oh, yeah, and by the way, there are all these vulns in Exchange, and it's going to be a while before we fix them. Exchange's days are numbered anyway. Here, we'll give your company a 5% discount for migration services for 365...
Received from our TAM (Score:4, Informative)
Microsoft is aware of recent reports discussing two zero-day vulnerabilities affecting Microsoft Exchange Servers. The most severe vulnerability is an authenticated Remote Code Execution vulnerability. Microsoft is working on an accelerated timeline to release a fix.
Q: Where can I get more information about these vulnerabilities?
A: Please see the MSRC blog: https://msrc-blog.microsoft.co... [microsoft.com]
Q: When will a patch be available?
A: Microsoft is working around the clock on a fix for the two vulnerabilities and will release it when it is of sufficient quality for release.
Q: What can customers do to mitigate the issue until a patch is available?
A: Please see the MSRC blog: https://msrc-blog.microsoft.co... [microsoft.com]
Q: Is Exchange Online affected?
A: Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers.
Q: What versions of Exchange are affected?
A: Exchange 2013, Exchange 2106, and Exchange 2019.
Q: Is there a comprehensive resource guide that investigators can use when investigating and remediating on-premises Exchange Server vulnerabilities?
A: Yes, Microsoft has published a guide for investigating and remediating on-premises Exchange Server vulnerabilities. Please see this MSRC blog post: Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities â" Microsoft Security Response Centerâ
=====
Referenced content:
Sources:
Bleeping Computer: New Microsoft Exchange zero-day actively exploited in attacks (bleepingcomputer.com)
The Hacker News: WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation (thehackernews.com)
Re: (Score:2)
--
Are you getting all your fruits and veggies? Suffering from stage 1 malnutrition? If you can answer either of these questions, it's time for Juice PLUS+. [karisenterprises.com]
dragging their feet? (Score:4, Interesting)
I can't believe a company with those kinds of resources needs more than a month of "working around the clock" to patch a problem of this kind of severity. They've known about this problem since August, and it's now the end of September.
It seems more likely that they are dragging their feet rather than "working around the clock" to fix this problem, since they'd prefer everyone upgrade to one of their newer (subscription-based) services. I can just hear the salesman now, "We'd have this fixed a lot sooner if it had happened on our new xyz... maybe you should upgrade??"
Re: (Score:2)
Call me cynical but one of the MS strategies is to leave things with problems in order to encourage an upgrade to something else.
Re: (Score:1)
Believe it.
They're too busy creating scant documentation for Devops Pipelines to the same Oracle JRE level of public methods and members, with no useful descriptions and no usage examples whatsoever. They'll get right on to remediations and hot fixes... just as soon as the developer community at large has created, approved and completed all of the PRs for them that fix the Devops Pipelines documentation errors and add sufficient examples to them that even a 10-year veteran of AWS and Azure services can make
Re: (Score:2)
I think MS has lost control of the abominations they created and now has to be extremely careful to not make matters worse when they attempt to "fix" anything. Bad engineering and systems design has a tendency to come back and haunt you that way.
IMO, the only way to "fix" Windows and basically all MS core applications is to throw them away and start over. After sacking everybody that has any responsibility for software and hiring people with a clue instead.
Re: (Score:2)
I heard a rumor that this is exactly what happened to an early version of MS office. The code had become so impossible to work on that they had to just scrap it and start over.
At least when you do that you know exactly how you want the software to function, and this reduces development time.
But it's an extreme response that should only be undertaken after careful consideration. When you do that, you're throwing away a lot of invested time (counter-argument: sunk-cost fallacy), and you're resetting your de
Re: (Score:2)
Well, yes. When you are in that position, the decision is a tough one. Hence anybody with a clue about software architecture, design and implementation is very careful to _not_ get into that position. There are just a lot of clueless people making software and MS is a really good example of that. In a sane world, they would never have amounted to anything. A bit cheaper but significantly worse apparently appeals to a lot of people and that is what made MS big.
swiss cheese (Score:2)
Microsoft continues to act like the swiss cheese of security. So glad I no longer administer Exchange.