Microsoft Issues Hafnium Security Fixes that Don't Require Latest Exchange Server Cumulative Updates
Microsoft's Exchange team on Monday announced additional help for organizations having trouble trying to patch Exchange Server products quickly in response to the Hafnium attacks.
Microsoft had released four out-of-band security patches last week to address zero-day vulnerabilities under active exploit by a nation-state actor, dubbed "Hafnium." However, those security updates for Exchange Server 2019, 2016, 2013 and 2010 products require having the latest cumulative updates installed first, before applying these new zero-day fixes.
In an unusual and merciful step, Microsoft's Exchange team described the availability of patches for the zero-day flaws that don't require having the latest cumulative updates installed on Exchange Servers. However, IT pros will have to download them from the Microsoft Download Center first before applying them -- they are not arriving automatically via the Microsoft Update service.
These patches from the Microsoft Download Center are deemed to be just a temporary measure to quickly patch Exchange Server implementations. IT pros still need to keep Exchange Server current with the latest cumulative updates.
Here's how the Exchange team expressed that sentiment:
The availability of these updates does not mean that you don't have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.
Microsoft isn't providing these new security updates for all Exchange Server installations out there, though.
"We are producing updates only for some older CUs for Exchange 2016 and 2019," the announcement indicated, without specifying which ones aren't supported. If the cumulative updates are not supported, then organizations need to apply the newer cumulative updates first to use the new security updates.
The new security updates available from the Microsoft Download Center just address the Hafnium Exchange Server vulnerabilities, which are listed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
IT pros installing these security updates from a command-line interface must have elevated credentials. This point was emphasized by Rhoderick Milne, a senior premier field engineer at Microsoft, in a March 8 blog post. His post also includes lots of helpful links for IT pros.
In addition to the new security updates now available from the Microsoft Download Center, a Microsoft Security Response Center post had earlier published "interim mitigations" that organizations could take if they were having trouble with up-to-date Exchange Server patching.
This Microsoft Security Response Center post also included a note (toward the end) that the "latest version of the Microsoft Safety Scanner (MSERT.EXE)" can detect and remediate the Exchange Server vulnerabilities. It can be used by organizations not having access to the Microsoft Defender for Endpoint product, which also has detection and remediation capabilities for the vulnerabilities.
While the vulnerabilities just apply to Exchange Server, organizations with "hybrid" Exchange environments (mixing Exchange Online cloud services with on-premises servers or using hybrid identity with Azure Active Directory Connect) also are subject to the attacks, as explained in a March 5 Practical365.com post. This requirement for hybrid customers to have one Exchange Server installed on-premises for management purposes prompted a question from a reader of Microsoft's initial announcement about when that requirement might get removed.
"Hybrid customers should not have been put into this precarious situation due to whatever the underlying reasons Microsoft had for not developing a solution for removing the last Exchange servers," wrote Lynn Towle, a Microsoft Tech Community contributor, in the comments section of Microsoft's announcement.
The U.S. Cybersecurity and Infrastructure Security Agency has also been updating its guidance on "Remediating Microsoft Exchange Vulnerabilities," which can be found in this short announcement. The Federal Bureau of Investigation issued an announcement on March 6 suggesting that Hafnium attack victims should contact a local FBI field office.
Non-Microsoft security researchers have been emphasizing an assumed-breach approach for organizations running Exchange Server, with a need to perform forensics from logs. They also need to check for Webshells, which may have been installed by the attackers, going undetected by security solutions.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.