Microsoft Defender Antivirus now automatically mitigates Exchange Server vulnerabilities

Mitigation fixes will be applied automatically in a renewed effort by Microsoft to contain security incidents caused by the bugs.

Microsoft has implemented an automatic mitigation tool within Defender Antivirus to tackle critical vulnerabilities in Exchange Server.

On March 18, the Redmond giant said the software will automatically mitigate CVE-2021-26855, a severe vulnerability that is being actively exploited in the wild.

This vulnerability is one of four that can be used in a wider attack chain to compromise on-premise Exchange servers. 

Microsoft released emergency fixes for the security flaws on March 2 and warned that a state-sponsored threat group called Hafnium was actively exploiting the bugs, and since then, tens of thousands of organizations are suspected to have been attacked.

At least 10 other advanced persistent threat (APT) groups have jumped on the opportunity slow or fragmented patching has provided. 

The implementation of a recent security intelligence update for Microsoft Defender Antivirus and System Center Endpoint Protection means that mitigations will be applied on vulnerable Exchange servers when the software is deployed, without any further input from users. 

According to the firm, Microsoft Defender Antivirus will automatically identify if a server is vulnerable and apply the mitigation fix once per machine. 

If automatic updates aren't turned on, it is recommended that users manually install the new update and make sure their software is upgraded to at least build 1.333.747.0, or newer. Cloud protection is not required to receive the mitigation fix but the company recommends that this feature is enabled as a matter of best practice. 

Earlier this week, Microsoft released a one-click mitigation tool designed to be a way to reduce the risk of exploit on vulnerable servers before full patches can be applied and this update to the firm's antivirus software has been released under the same principle. 

The mitigation tool is still readily available as an alternative way to mitigate risk to vulnerable servers if IT admins do not have Defender Antivirus. 

"The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases," Microsoft says. "This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange."

On March 17, Microsoft launched the firm's quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019 which also contains the security patches required to tackle the critical vulnerabilities. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0