Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Bug Security

Microsoft Disputes Severity of Four Zero-Day Vulnerabilities Found in Exchange by Trend Micro (bleepingcomputer.com) 26

"Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations," reports Bleeping Computer, citing disclosures Thursday from Trend Micro's Zero Day Initiative, who reported them to Microsoft on September 7th and 8th, 2023.

In an email to the site, a Microsoft spokesperson said customers who applied the August Security Updates are already protected from the first vulnerability, while the other three require attackers to have prior access to email credentials. (And for two of them no evidence was presented that it can be leveraged to gain elevation of privilege.)

"We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate."

From Bleeping Computer's report: ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks... All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5... It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs...

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

This discussion has been archived. No new comments can be posted.

Microsoft Disputes Severity of Four Zero-Day Vulnerabilities Found in Exchange by Trend Micro

Comments Filter:
  • Two months ago (Score:4, Insightful)

    by phantomfive ( 622387 ) on Sunday November 05, 2023 @11:13AM (#63981726) Journal
    If the exploit was reported two months ago and still hasn't been fixed, then Microsoft is in the wrong here. The precise level of the vuln is irrelevant.

    Also Microsoft's classification of injections are dumb [microsoft.com]. If you have a remote injection/execution bug, then it's harder to prove that it only leaks public information than to actually fix the bug, and I guarantee they aren't proving anything they are just "guessing."

    In other words, Microsoft security sucks as always because of corporate bureaucracy and because of incorrect priorities.
    • Also worth mentioning [microsoft.com], if you haven't figured out how to avoid writing SQL injections by this point, something is wrong with you as a software engineer. What are you doing, writing PHP code from twenty years ago?
      • by gweihir ( 88907 )

        I do not think Microsoft is using software engineers to write and "maintain" their crap. Any reasonable software engineer would be ashamed to put out stuff this bad.

      • Also worth mentioning [microsoft.com], if you haven't figured out how to avoid writing SQL injections by this point, something is wrong with you as a software engineer.

        Exchange Server does not use a SQL Server database, so SQL injection is not a relevant concern.

        • by Anonymous Coward
          SQL Injection isn't something specific to using a Microsoft SQL Server backend, but to any SQL database backend. Exchange started out life using the Jet (AccessDB) which, guess what, is an SQL database backend.
    • by gweihir ( 88907 )

      In other words, Microsoft security sucks as always because of corporate bureaucracy and because of incorrect priorities.

      And because they do not care one bit about their customers or if the world burns. It is time for politics to realize how bad this gigantic basket is that Microsoft represents and how incredibly large the number of eggs in there. Microsoft cannot even fulfill simpler regulatory requirements as outsourcing, just hit them with the already existing books.

      • Microsoft cannot even fulfill simpler regulatory requirements as outsourcing

        I don't know what this means.

    • by davidwr ( 791652 )

      If the exploit was reported two months ago and still hasn't been fixed, then Microsoft is in the wrong here. The precise level of the vuln is irrelevant.

      I would be a bit more tolerant and say that vendors, particularly major vendors, don't need to actually fix all bugs like this after such a short period of time but they do need to publish mitigations and a timeline-to-fix within that time.

      As to whether 60 days is reasonable, there's wiggle-room there:

      For legit-severity-10 bugs that have already compromised hundreds of customers, "1 day" without the vendor fixing the issue may be too long to prevent the company's reputation from tanking.

      On the other hand, f

      • ok, why. Why do you think waiting 180 days to fix a security bug is acceptable. It doesn't take that long to fix.
        • In this particular case, I agree with you. Microsoft is reacting poorly.

          I'm just pointing out that there may be other cases where it's reasonable for a vendor to take a lot longer than 60 or even 180 days to fix a similarly-rated vulnerability. The most obvious reasons would be "force majeure"-type situations, such as a war, or half the development team was on the same bus that fell off a cliff, or something similar. But there are other, thankfully-rare, scenarios that don't involve "force majeure" that I

  • They can't really get away with outright cancelling it, too many serious customers would freak out; but MS' recent history in terms of how quickly they respond to serious vulnerabilities in Exchange vs. their response time for Exchange Online(though, notably, they prefer to be really, really, tight-lipped about something bad ever having been possible) make it hard to escape the conclusion that they basically hate on-prem Exchange customers and see their satisfaction, and even their system security, as less
    • No serious admin should put their Exchange bare on the Internet and that has been the case since Microsoft Mail for Novell NetWare.

      Even Microsoft recommends and offers both web, SMTP and IMAP proxies. I know many organizations that have tried putting OWA on the public web only to come back a few months later and revert to VPN-only access due to a hack.

      And they do have perfectly functional (although proprietary) secure mailbox access over HTTP as they built Entourage and Outlook for Mac (and later Android/iO

      • by Tarlus ( 1000874 )

        I was never as anxious as I was when I had to maintain an Exchange cluster. So glad to be out of that business.

  • Next one would be "then the product or company dies". We will not be so lucky that MS finally gets its deserved fate, but I think Exchange may go away soon. No loss at all. Then people can run actually secure and fully supported MTAs like Postfix. Of course what MS wants is to bind people even more to their half-asses cloud offering and many will fall for that trap.

  • Liability shielding has broken tech. Microsoft is allowed to sell us software, call it secure and tell us to put our most valuable information in it while never actually being able to secure our data. Check out this timeline of data breaches @ Microsoft. They've been a constant problem and they're getting bigger and happening more frequently.
    https://firewalltimes.com/microsoft-data-breach-timeline/

    Microsoft's will keep using lawyers and spokesmen to solve their tech problems because reducing liability is
    • by mysidia ( 191772 )

      Microsoft's will keep using lawyers and spokesmen to solve their tech problems because reducing liability is more profitable

      Oh... The liability Still exists it just remains with the buyer of the software. It's part of the purchase terms and negotiation Just as much as the price of the product is.

      That said if you want a vendor-assumed liability: Microsoft may not be the software vendor to make an offer to you, and the competitor who would may require an extra $20,000+ per license seat in cost attribut

  • I seem to recall within the past several years of a vulnerability (I believe it was also in Exchange) that Microsoft repeatedly refused to fix because they claimed it couldn't be exploited. Sure enough, it was eventually exploited and only then did Microsoft finally patch it. And didn't Microsoft just come out and state that they're going to begin taking security more seriously? Microsoft, this is why you remain a laughingstock among security communities.
    • didn't Microsoft just come out and state that they're going to begin taking security more seriously?

      They've been "coming out" and saying that for 20 years.

      • Yeah, but this time they pinky-swore it was for real, so...
      • by Slayer ( 6656 )

        They've been "coming out" and saying that for 20 years.

        It's been way more than 20 years, sadly. I still remember that dialog from the 90ies:

        • "This vulnerability is purely theoretical" - Microsoft
        • l0pht: Making the theoretical practical since 1992

        Many folks who now shake their heads about Microsoft haven't even been born in 1992 ...

        • "This vulnerability is purely theoretical" - Microsoft
          l0pht: Making the theoretical practical since 1992

          That's a good set of quotes. Someone who doesn't fix "theoretical" vulnerabilities is someone who has a bunch of practical vulnerabilities.

  • I remember a looong time ago there were several vulnerabilities for IBM's Lotus Sametime protocol. They lied for years about them, but eventually someone published a very nasty exploit. Hopefully, the same thing happens to M$, or not. Luckily, I'm really so far removed from any M$ software at this point it doesn't really matter.
  • Should mean that itâ(TM)s actively found being exploited and you have literally zero more days to fix it. These literally every big/exploit found is a zero day, which is stupid and redundant to even say.
    • It refers to the number of days since the vuln has been known (to the vendor or users). So if the vuln has been known for 5 days, it's a five-day vuln. A lot of times you can mitigate a vulnerability (by adding firewall rules, for example) even if there isn't an official fix.

      If it has been fixed, it's not a vulnerability anymore.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

Avoid strange women and temporary variables.

Working...