Microsoft got an early start on Patch Tuesday, releasing a series of out-of-band security updates this week to address four zero-day vulnerabilities in Exchange Server. There’s been a lot of security activity in the news, so I’m sure it is going to be a busy Patch Tuesday.
The Microsoft Security Response Center reported known attacks against Exchange Server by the hacking group Hafnium. The four vulnerabilities involved in the exploit are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. They are all listed as remote code execution vulnerabilities with CVSS v3 base scores ranging from 7.8 to 9.1. Microsoft reported that the attacks are active and external-facing servers should be updated immediately. They’ve also provided a series of PowerShell scripts, which will help identify if you’ve been attacked and other indicators of compromise to look for.
The latest security updates from Microsoft addressing these vulnerabilities will install only on Exchange Server 2013 (CU23), Exchange Server 2016 (CU18 or CU19), and Exchange Server 2019 (CU7 or CU8). You must install the latest cumulative updates before installing the security patches. Early reports from the field indicate the updates apply smoothly following Microsoft’s directions, with a reboot required.
This announcement also included a Defense in Depth security update for Exchange Server 2010 SP3. Exchange Server 2010 is not vulnerable to this specific attack, but Microsoft has addressed some related CVEs in 2010 and advises applying the security update if you are running this older system. Exchange Online is not affected by this attack. On a final note, the next set of cumulative updates coming in March for the three versions of Exchange Server will include these security updates.
There were very few CVEs addressed in February’s Patch Tuesday updates; only 28 were identified for the Windows 10 components, when we often see 50 or more. With four zero-day vulnerabilities already addressed in this out-of-band release, here’s what we can expect next week for March Patch Tuesday.
March 2021 Patch Tuesday forecast
- I expect the standard fare of updates to include a larger number of CVEs fixed in the Windows 10 and legacy operating systems, Office, Microsoft 365, and the associated SharePoint server updates. We’ve gone several months without an Internet Explorer update, so I would expect one. Pay special attention to service stack updates (SSU) this month because Microsoft announced they soon will be combining them into their regular Windows 10 updates.
- Adobe released security updates for many of their products last month and has not made any pre-announcements, so I don’t expect any major updates this month.
- Apple has been kicking out regular security and performance updates for Big Sur, but we still haven’t seen the iTunes security release I anticipated last month. Keep your eyes open for this one.
- Google has been releasing the week before Patch Tuesday and the trend continues this month. Chrome 89.0.4389.72 for Windows, Mac and Linux was updated this week, which included a massive 47 security fixes. Make sure to update your systems now. Unless there is some kind of stability issue with this release, we won’t see another security update next week.
- Mozilla released some minor security updates for Firefox, Firefox ESR, and Thunderbird back on February 23. I expect to see a larger security update next week.
Unfortunately, we can’t wait until Patch Tuesday next week to get started with our March patch cycle. With active attacks against Microsoft Exchange Server, you need to update your systems quickly to ensure you are protected. We’ll have to wait until next week to see if Microsoft has any other surprises for us.