News

Exchange Server June Update Getting Delayed To Bolster Security

• By Kurt Mackie
• 06/11/2021

Microsoft on Friday announced a coming delay in delivering this month's Exchange Server cumulative update (CU), which is being done to improve the security of those e-mail messaging products.

"In addition to bug fixes and incorporating previous Security Updates (SUs) for Exchange Server, we are taking a little bit of extra time to finish adding a new security feature to Exchange Server," the Exchange team indicated in the announcement.

Exchange Server CUs typically get distributed on the third Tuesday of a month, and this month's CU would be expected to arrive on June 15. However, Microsoft plans to push out that date to June 29.

Essential March CU
Moreover, Microsoft's Exchange team drew a line in the sand for organizations that maintain Exchange Server environments. Organizations will need to have the March 2021 CU installed to get future Exchange Server updates.

Installing the latest CUs, which arrive quarterly, has always been an Exchange Server requirement stipulated by Microsoft. In this case, though, the March CU appears to be a sort of baseline for Microsoft's coming Exchange Server security improvements.

Exchange Server AMSI Integration
The June 29 date marks the rollout of an integration in Exchange Server 2016 (and newer) server products with Microsoft's existing Antimalware Scan Interface (AMSI) solution for Windows systems. This integration is the apparent reason for the June CU delay. Organizations will need be running Exchange Server on Windows Server 2016 or newer operating systems to get the coming security perk.

Microsoft described AMSI as a "vendor-agnostic" interface that works with various anti-malware solutions to add security protections. It uses "signatures" to track "malicious content," and will work with any AMSI-capable anti-malware solution, not just Microsoft Defender Antivirus.

The AMSI integration will handle malicious HTTP requests before they get processed by Exchange Server, Microsoft suggested:

AMSI integration in Exchange Server provides the ability for an AMSI-capable antivirus/antimalware solution to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server.

Another benefit of AMSI integration is that Microsoft typically adds the expertise of its malware research team to AMSI's signature-detection capabilities.

Microsoft Defender Antivirus, which works with AMSI, is enabled by default if IT pros haven't installed an anti-malware solution for Exchange Server. If another anti-malware solution gets installed, though, Microsoft Defender Antivirus will turn itself off. Microsoft Defender Antivirus comes with Windows 10 and Windows Server 2016, and later, operating systems.

Hafnium Context
The announcement by the Exchange team didn't spell it out, but the coming improvements appear to be Microsoft's reaction to the zero-day Hafnium group attacks that caused Microsoft to issue out-of-band patches for Exchange Server on March 2.

These Hafnium Exchange Server attacks, attributed to a nation-state attacker, used a server-side request forgery approach to gain access to e-mail content. The attacks could be carried out without first obtaining Exchange Server authentication.

Microsoft likely is insisting that organizations have the March CU installed to further block such attacks.