Childs also points out two other ZDI Exchange vulnerabilities discovered by Childs in 2018, one in 2019, and the second in 2020 that hackers were exploiting even after they were patched. Security podcast Risky Business went so far as to title a recent episode “It’s Exchangehog Day,” in a reference to the dreary cycle of vulnerability revelations and subsequent patching the servers require.
WIRED reached Microsoft to get comment about its Exchange security concerns. Aanchal, corporate vice president at Microsoft Security Response Center, (MSRC), provided an extensive list of the measures taken by the company to patch, mitigate and secure on-premise Exchange Servers. Tsai exposed vulnerabilities in Exchange servers, so Microsoft released patches quickly to address them. Gupta further wrote that MSRC “worked around the clock” to help customers update their Exchange servers in the midst of last year’s Hafnium attacks, released numerous security updates for Exchange over the year, and even launched an Exchange Emergency Mitigation service, which helps customers automatically apply security mitigations to block known attacks on Exchange servers even before a full patch is available.
Gupta said that many customers should migrate to Microsoft’s cloud-based Exchange Online service from their on-premise Exchange servers. “We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said in an emailed statement. “Our work to support on-premises customers to move to a supported and up-to-date version continues, and we strongly advise customers who cannot keep these systems up to date to migrate to the cloud.”
Trend Micro’s Childs explains that email administrators have trouble maintaining Exchange properly. The complexity of installing Exchange updates is partly due to its age and the risk of breaking functionality through changing interdependent mechanism in the software. Kevin Beaumont (security researcher) recently pointed out this. live-tweeted his own experience of updating an Exchange serverHe spent nearly three hours documenting the numerous bugs, crashes and hiccups, even though the server hadn’t been updated in a while. “It’s a difficult and arduous process, so even though there are active attacks, people just don’t patch their on-premise Exchange,” says Childs. “So there are patched bugs that are taking forever to get fixed, and also unpatched bugs that have yet to get fixed.”
Another problem compounding on-premise Exchange’s security woes arises from the fact that vulnerabilities found in its software are often particularly easy to exploit. Exchange bugs aren’t any more common than, say, vulnerabilities in Microsoft’s Remote Desktop Protocol, says Marcus Hutchins, an analyst for security firm Kryptos Logic. But they’re far more reliable to use because, despite the fact that an Exchange server hosts email locally, it’s accessed through a web service. Passing commands to a webserver through an online interface is far safer than other hacking methods, such as memory corruption vulnerabilities. These attacks alter data at a lower level and are less predictable. “It’s basically very fancy web exploitation,” says Hutchins. “It’s not something that’s going to crash the server if you do it wrong. It’s very stable and simple.”