Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities.
Microsoft has already released out-of-band emergency patches for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 but, in light of ongoing cyberattacks exploiting the flaws, it's produced security updates for earlier versions of Exchange it otherwise does not patch.
The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers.
Though patches for unsupported Microsoft products are rare, the company has been forced to issue them on multiple occasions in the past five years to address global cyberattacks. It made patches for unsupported Windows XP in 2017 after the WannaCry ransomware attacks and produced patches for Windows XP again in 2019 after identifying a severe wormable flaw in Windows.
Microsoft notes that this security update for Exchange only addresses the four new flaws and does not mean those versions of Exchange, such as Exchange 2010 and earlier, are now supported. The patches are designed to update specific cumulative updates (CU) of Exchange.
The patches include updates for the following cumulative updates:
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
"Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don't have to keep your environment current," Microsoft states.
"This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update."
Microsoft spokesman Frank X Shaw said on Twitter that Microsoft engineers had "worked around the clock to deliver fixes" for these older and unsupported cumulative update versions of Windows Exchange.
Microsoft raced out patches for Exchange earlier this month after security researchers discovered that suspected China-backed hackers were exploiting Exchange servers to access emails of targets. Security firm Volexity said the bugs had been exploited from around January 6, 2021.
SEE: Network security policy (TechRepublic Premium)
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) this week ordered civilian agencies to apply Microsoft's patches or disconnect vulnerable email servers. CISA also warned it had seen "widespread domestic and international exploitation" of the flaws.
It's been a busy few months for cybersecurity teams around the world after the SolarWinds supply chain attack was disclosed by Microsoft and FireEye in mid-December. Those teams are already under pressure after supporting remote-working arrangements during the pandemic.
Chris Krebs, the former director of CISA, commented this week that incident response teams are burned out. He recommended patching Exchange now if possible and assume that the organization has been breached already. If searching for signs of compromise was not currently possible, he recommended following CISA's advice: disconnect and rebuild the Exchange server.
- Everything you need to know about the Microsoft Exchange Server hack
- Microsoft Exchange zero-day attacks: 30,000 servers hit already, says report
- Microsoft: These Exchange Server zero-day flaws are being used by hackers, so update now
Microsoft says the new Exchange updates are available only through the Microsoft Download Center and not on the Microsoft Update service.
"We are producing updates only for some older CUs for Exchange 2016 and 2019," it notes.
Microsoft also warns that there are problems with this security update that may cause Outlook on the web to crash, depending on the configuration.
"When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated," Microsoft notes in a support document.
"When this issue occurs, you don't receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web and the Exchange Control Panel (ECP) might stop working."
"This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn't correctly stop certain Exchange-related services. To avoid this issue, follow these steps to manually install this security update."
- Check to see if you're vulnerable to Microsoft Exchange Server zero-days using this tool
- CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
- Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments
CISA today issued another warning for organizations to apply Microsoft's patches.
"CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities," CISA said on Twitter.
"An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack," it said in an advisory.