Your Microsoft Exchange Server Is a Security Liability

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cybersecurity experts argue that a similar switch is due—or long overdue—for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data center, the time has come to move to a cloud service—if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by Chinese state-sponsored hackers known as Hafnium, who last year penetrated more than 30,000 targets, by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear enough message: An Exchange server is, itself, a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

Aside from the multiple vulnerabilities Orange Tsai exposed and the two actively exploited unpatched bugs revealed last month, Childs points to another 20 security flaws in Exchange that a researcher reported to ZDI, which ZDI, in turn, reported to Microsoft two weeks ago, and which remain unpatched. “Exchange right now has a very broad attack surface, and it just hasn’t had a lot of really comprehensive work done on it in years from a security perspective,” says Childs.

You may also like...