back to article Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

Microsoft has released the first Patch Tuesday bundle of the year, patching up 49 CVE-listed security vulnerabilities and issuing two advisories. Happy new year from Redmond The January edition of Patch Tuesday includes critical fixes for Windows 10, Exchange Server, and Hyper-V. Among the 49 bug fixes were patches for remote …

  1. TheVogon

    Just patched an Exchange DAG cluster and an Edge server - all seems good.

    1. ds6
      Mushroom

      All seems good

      ...Meanwhile, my employer refuses to provide the funding to upgrade from Server 2003 with very old versions of Exchange. All user home directories are stored on unencrypted SMBv1 admin shares. Every AD account has local admin privileges on whatever system they are able to log into. All AD/Google/etc. accounts are disabled manually when an employee leaves but there are still hundreds of accounts still active back to 2008. We just recently decomissioned 2 print servers at my behest that had been running for years and were completely unused security holes. I'm the only one that knows how to write scripts in the whole department. Our netmaster doesn't know how DNS wildcards work and even after I explained it to him managed to take the entire site offline for 2 days (yeeeaaah 48hr TTL) by fat-fingering the domain name. We didn't get Webroot even though they went out of their way to get rid of a company-wide infection of Emotet for us with a proprietary, custom-tooled removal package, and instead are paying for an abandonware endpoint antivirus system that hasn't had its definitions updated in months and was clearly designed for XP. My cool boss just left for a better job right after I finally had some hope of making things better. My boss's boss admitted to the whole office he "doesn't know much about computers, [he's] a policy guy" when asked if he would perform interim duties. High-profile, high-availability, mission-critical systems are running XP on hardware from a similar era and no one wants to so much as touch it from fear of killing it, and we can't get the funding for a backup, let alone replace it. We pay for third parties to manage the CMS and phone system and both regularly break. If the VoIP server ever goes down it refuses to come back up and it has to be re-imaged over the wire from their servers and any voicemails from within the time period of the last backup are lost; they have not fixed this issue despite weeks of downtime and we still pay for their services. Oh but at least we're dumping money into some Indian company to develop an absolutely useless app that shows you a glorified calendar and half the time doesn't let you log in.

      Sorry, I needed to vent about 20% of what I'm currently dealing with.

      1. Anonymous Coward
        Anonymous Coward

        Re: All seems good

        Leave; your boss clearly felt no need to stay, why the hell do you? You'll be the one left holding the can when it all finally falls down if you don't.

      2. Fading
        Thumb Up

        Re: All seems good

        Good example of some proper, at the coalface, IT work....

      3. BigSLitleP

        Re: All seems good

        I've worked for so many companies like this, which is why my average employment in any single role is about 15 months. Currently working for a "cloud provider" that seems to be mainly incompetent, using equipment way out of date or bought from ebay. We *cause* most of the problems you listed.

        Just hit 13 months in my current role.....

      4. steve 124

        Re: All seems good

        omg, been there. Good luck. You should totally find a new employer.

  2. Amos1

    Give Adobe a break

    After all, they had to push out yet another Acrobat and Reader emergency patch a few days ago.

    Oh wait, they did push a Flash patch today: https://helpx.adobe.com/security/products/flash-player/apsb19-01.html

    1. Anonymous Coward
      Anonymous Coward

      Re: Give Adobe a break

      I was going to post a comment along the lines of "No Adobe patches! What is the world coming to?"

      Not much point now......

      1. Robert Helpmann??
        Coffee/keyboard

        Re: Give Adobe a break

        A round of applause for Adobe, who didn't need to put out a single security fix for Flash today.

        So they're ditching the whole thing?!?!?! Holy crap!

        Instead, the internet's screen door will see a handful of performance and stability fixes

        And I was soooo happy, if only for a fleeting moment.

  3. john.jones.name

    exchange better than office 364 which still needs DNSSEC and DMARC

    at least you can control exchange and hide it behind a firewall or inspection service...

    e.g. office365 lacks DNSSEC and DMARC (even though Microsoft consume this information themselves customers are not to be trusted with actual security)

    1. MatthewSt Silver badge

      Re: exchange better than office 364 which still needs DNSSEC and DMARC

      DMARC has been supported for a while - https://blogs.technet.microsoft.com/fasttracktips/2016/07/16/spf-dkim-dmarc-and-exchange-online/

      There's some more docs on it here - https://docs.microsoft.com/en-us/office365/SecurityCompliance/use-dmarc-to-validate-email

  4. Anonymous Coward Silver badge
    Linux

    Hang on

    You mean some people still put Windows servers on the internet? I thought everyone had learned that you need a solid gateway device in front of them.

    "Those who cannot remember the past are condemned to repeat it."

    1. Anonymous Coward
      Anonymous Coward

      Re: Hang on

      "You mean some people still put Windows servers on the internet? I thought everyone had learned that you need a solid gateway device in front of them."

      Well in a non domain joined environment with default security settings as say a web server, Windows Server does have a rather better security record over the last decade than say a LAMP stack. Which is probably why Netcraft shows that 42% of web sites run on IIS versus only 19% on Apache these days

      1. ds6
        Linux

        Re: Hang on

        42% on IIS is because it's the Windows Solution. Got Windows Server? Why not deploy IIS? Bing bang boom you're done.

        Meanwhile everyone else has been enjoying a diversified landscape of tailored stacks, unfortunately with a bit too much serverside JavaScript... But hey, better than dealing with Windows.

        And so I quickly escape before IIS admins come for my head.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hang on

        "Which is probably why Netcraft shows that 42% of web sites run on IIS versus only 19% on Apache these days"

        IIS marketshare on actively used websites has been on a steady decline for the last decade and hasn't shown any signs of recovering. In fact it's now sitting around 7%. Even Azure now hosts more Linux than any other OS, so IIS usage increasing doesn't line up with other stats.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hang on

          "Even Azure now hosts more Linux than any other OS"

          Nope, Azure is about 30% Linux.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hang on

            "Nope, Azure is about 30% Linux."

            That was two years ago.

            Then in September 2018 it hit parity with Windows: https://www.zdnet.com/article/linux-now-dominates-azure/

            Based on the trends quoted in that article it's a safe assumption that Linux has increased to a solid majority by now.

  5. big_D Silver badge

    Flash...

    Interesting, I got Flash security updates for all supported platforms (8, 10, Server 2012, 2016 and 2019) this morning on my WSUS server.

  6. SotarrTheWizard
    Unhappy

    Exchange takedown from a single message isn't new. . . .

    . . . .it was a different vulnerability, but you could take Exchange down with a single, specially-crafted message, but it was there in 2005.

    1. Anonymous Coward
      Anonymous Coward

      Re: Exchange takedown from a single message isn't new. . . .

      ". . . .it was a different vulnerability, but you could take Exchange down with a single, specially-crafted message, but it was there in 2005."

      So still a long way to go to be as bad as Sendmail then...

      1. Mike Pellatt

        Re: Exchange takedown from a single message isn't new. . . .

        Remind me again how to configure Sendmail to perform message storage for MUAs

        (Not to say that Sendmail wasn't a PoS for many, many years. But that really is an apples and oranges comparison)

  7. Doctor Evil

    One more time - with feeling

    If you're (still) running Office 2010 on an older 32-bit system, then yesterday's update will break all your Office apps -- again!

    Instead of the familiar and desired splash screen, you'll get a little window with a message that says "Entry Point Not Found : The procedure entry point GetDateFormatEx could not be located in the dynamic link library KERNEL32.dll". And then ... nothing.

    Same old, same old; this happened a month or 2 ago with KB4461522. This time the offending update is KB4461614; uninstall that and all will be well in your (admittedly somewhat antiquated) world once more.

  8. JoeUK

    Windows server 2008 R2

    Will it impacts Windows server 2008 R2?

  9. sgrier23

    Bug Tuesday

    Greetings

    I am always amazed that Microsoft and Adobe need to do bug fixes on a regular monthly rate. The real reason for this is that the applications were not written properly, and the testing was inadequate.

    App applications have bugs - faults in the code - and proper testing should and would find these and eliminate them.

    But MS and Adobe want their latest and greatest applications out there, and both of these companies - and most, if not all, allow their users to find them and tell them and hopefully the companies would fix it. But not always.

    I am totally fed up with these companies updates and security fixes - some of which cause bigger problems.

    I say that the companies should write their applications properly in the first place, and these issues won't happen.

    Moan over.

    Cheers

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like