back to article Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others. September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate …

  1. MatthewSt Bronze badge

    Pulled?

    I've had one device update to 10.0.19042.508 but everything else is still running on 10.0.19042.450 and is showing no updates available

  2. A random security guy Bronze badge

    Curious: When did these bugs get introduced?

    I am always curious about the history of a security bug. Was it introduced years ago, was it in new code, when did it get caught, had it been modified, reviewed (and by whom), did it get caught by static code analyzers, and, finally, the expertise of the implementors.

    I wonder anyone who analyzes MS binaries for a living (or as a hobby) can trace back the evolutionary path of the bug. I doubt MS will come forward with real data but aggregate data would help.

  3. Anonymous Coward
    Anonymous Coward

    Exchange 2013

    The Exchange issue CVE doesn't mention Exchange 2013, which is still a supported version of Exchange 15.x until 2023 as long as you are running cumulative update 23. Does this mean the flaw was introduced in 2016 or that they can't be bothered to fix it in 2013?

    1. Anonymous Coward
      Anonymous Coward

      Re: Exchange 2013

      Me too - we're on an earlier CU than 16/17 which are the only ones listed on the MS site? Does this mean they're unaffected?

      1. Anonymous Coward
        Anonymous Coward

        Re: Exchange 2013

        Unless you are running a supported CU you won't get any security updates even if the product is affected. These are the last CU for versions in Extended support (CU 23 for Exchange 2013) or the current or current -1 for versions in mainstream support (16 and 17 for Exchange 2016, 5 and 6 for 2019).

        Short answer, yes you are probably vulnerable and will need to update to a supported CU then apply the hotfix. They only list supported CUs on the CVE.

        Also, 2016 goes into extended support in October. The last planned CU for 2016 will be released in December. This will be the only supported CU from that point.

        https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2016-and-the-end-of-mainstream-support/ba-p/1574110

        1. Anonymous Coward
          Anonymous Coward

          Re: Exchange 2013

          One other point, if you are planning on upgrading your CU, probably best to wait until next week. If they keep the usual release cadence, then the next CU for 2016/2019 should be released on Tuesday. At this point 17 and 18 will be the supported CUs for 2016, 6 and 7 for 2019.

          If upgrading from an old CU, then you need to ensure you have the correct .NET versions as well. Check out the support matrix here.

          https://docs.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix

          Make sure you read the release notes, especially if moving from a really old CU as there may be AD and schema updates or pre-req changes.

  4. Mike 137 Silver badge

    That depends...

    ""That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers," Childs explained."

    That rather depends on what the malicious code does once it runs, doesn't it? Apparently there's nothing to stop it downloading a worm with network privilege escalation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020