back to article NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches

April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA). Forty-four different products and services are affected, mainly having to do with Azure, …

  1. Kurgan

    Nsa to the rescue

    NSA wants to be sure that all flaws are patched except for the one they use to spy on people.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nsa to the rescue

      Yes, but that's inevitable, and much better to be partially open to the NSA whilst better protected to Chinese and Russian hackers, both State and criminal. It's a quid pro quo...

  2. Pascal Monett Silver badge

    "updates to protect against new vulnerabilities in on-premise Exchange Servers"

    How come there are always "new vulnerabilities" when it comes to Exchange ?

    Frankly, it starting to look like Exchange is the new Flash.

    1. John Brown (no body) Silver badge

      Re: "updates to protect against new vulnerabilities in on-premise Exchange Servers"

      It seems much more rare to hear about vulnerabilities in off-premise Exchange Servers, ie O365 email servers. Could this be a marketing strategy get people onto MS cloud services?

      1. MatthewSt Silver badge

        Re: "updates to protect against new vulnerabilities in on-premise Exchange Servers"

        More likely that Microsoft use O365 as a major testing ground so the patches are already deployed on that before the patches are released

        1. Cliffwilliams44 Bronze badge

          Re: "updates to protect against new vulnerabilities in on-premise Exchange Servers"

          No, more likely Microsoft is doing the patching themselves so there is no reason to inform the public of the need to patch!

          1. martyn.hare
            Joke

            Microsoft 365 loves to tell the public about patches!

            After they’ve compromised Service Health of course.

            Service advisories, gotta read them all!

      2. Ken Moorhouse Silver badge

        Re: It seems much more rare to hear about vulnerabilities in off-premise Exchange Servers

        As there is nothing for users to patch, there is nothing that Microsoft need announce.

  3. Denarius Silver badge

    and I remember vaguely

    criticisms of sendmail. The only config file indistinguishable from line noise. I know, I know exchange is so much more than an MTA

    1. jake Silver badge

      Re: and I remember vaguely

      Sendmail is also much more than an MTA.

      Sendmail has had line-stopper issues occasionally; maybe a dozen times in the nearly four decades I've been running it. Microsoft has line-stopper issues weekly, if not daily.

      The sendmail issues were fixed by patching sendmail, and then restarting it. No need for a server reboot or any other histrionics. No muss, no fuss.

      I wonder how many man-hours are wasted every year due to Microsoft being incapable of writing secure code. Worse, how many man-hours (read "dollars") has your company wasted in the last year due to Microsoft's inability to write secure code?

    2. FlamingDeath Silver badge

      Re: and I remember vaguely

      "I know exchange is so much more than an MTA"

      Maybe that's the problem, M$ should learn to crawl before it tries launching into orbit with a million modules bolted on, less lines of code, less chance for those podgy fingers to makes mistakes

      Am alone here?

      keep it simple, stupid

      xx

    3. Anonymous Coward
      Anonymous Coward

      Re: and I remember vaguely

      didn't Yahoo! purchase something that was supposed to be a competitor to Exchange?

    4. bombastic bob Silver badge
      Devil

      Re: and I remember vaguely

      I use sendmail with an IMAP server (I use Cyrus but I set it up over a decade ago and it just works). Other solutions obviously exist. This one seemed just fine when I set it up. Integrating Cyrus was pretty easy. I'm using the FreeBSD version of sendmail.

      No need for bloat-ness and security craters, like Micros~1 Exchange

  4. ST Silver badge
    Devil

    I, for one ...

    ... am very happy to learn that someone is testing and debugging Microsoft's software.

    Because it certainly doesn't look like Microsoft is doing any of that.

    1. Nick Ryan Silver badge

      Re: I, for one ...

      I'm just happy enough that with Microsoft running Microsoft Exchange servers themselves that they are directly enjoying the shit show horror that Microsoft Exchange server management has always been.

      1. FlamingDeath Silver badge

        Re: I, for one ...

        For a private for profit company, M$ seems to have the NSA as their janitor.

        We can't surely all do that?

  5. Anonymous Coward
    Anonymous Coward

    So many vulnerabilities

    Makes you wonder if they were put their on purpose, but now we are aware that foreign agents are are aware of our previously unknown vulnerabilities we must ask Microsoft to patch them and in doing so create some new unknown vulnerabilities. Perpetual vulnerabilities.

    Seems mighty suspicious Microsoft programmers are really that bad? Did they fire all the good ones?

    1. Nick Ryan Silver badge

      Re: So many vulnerabilities

      Seems mighty suspicious Microsoft programmers are really that bad? Did they fire all the good ones?

      Possibly a legacy of the incredibly destructive "stack ranking" scheme that Microsoft operated for many years.

    2. FlamingDeath Silver badge

      Re: So many vulnerabilities

      I hate to break it to you, but reality is not real, and if you look closely, you'll find we're all in 'The Muppet Show"

      "D'oh!"

      - J. Robert Oppenheimer

  6. Anonymous Coward
    Anonymous Coward

    "Microsoft's _intention_ is to have the OS drop its pants, bend over, and ask the whole bloody net to remotely install any bits at all . . . and then they're surprised it turns out to be a serious security flaw?" -- a Scary Devil Monastery sig.

  7. Anonymous Coward
    Anonymous Coward

    So, by what weird measure ..

    .. can any of Microsoft's products be deemed suitable for business?

    I mean, at some point someone should have come up with a way to actually review their code for exposure to the Internet. It's not as new as an idea as it was, say, a decade ago, but I get the feeling MS is still treating it that way.

    Life is fun if you have people locked in, yet can still fully avoid any accountability..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021