Unpatched servers make a tantalizing target for hackers, according to Microsoft.
This week Microsoft urged customers to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update (CU) to have them always ready to deploy an emergency security update.
The strongly worded exhortation came in the form of a blog post from the Microsoft Exchange Team. Entitled simply, “Protect Your Exchange Servers”, the post makes no bones about the importance of applying updates to Exchange servers on-site. “We’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated”, they write. Indeed, previous blog posts from the Team have also stressed the criticality of applying updates.
“Attackers looking to exploit unpatched Exchange servers are not going to go away,” they explain. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts“.
Some examples of the dangers lurking for unpatched servers: user mailboxes often contain critical and sensitive data, and every Exchange server contains a copy of the company address book, “which provides a lot of information that is useful for social engineering attacks”. Such delicate information includes organizational structure, titles, contact info, and more, they say. Finally, they add, “Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment”.
What customers “must” do
“To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU,” the Team says. That means – “as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU),” The Exchange Team said.
The Microsoft Team also asked Exchange admins to provide info on how the Exchange Server update process could be improved via an “update experience survey“.
Finally, the Team recommends always running the Exchange Server Health Checker script after installing updates.