|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Newsletter Archives
-
Do you still patch on premises Exchange servers?
Do you still patch a Microsoft Exchange server in your network? If you do, heads up. There is
limited/targeted attackswidespread attacks underway. Microsoft has released patches for it. While they say “Exchange online is not impacted”… my guess is that it’s already patched and/or mitigated for the issue.What’s interesting to me is that the attackers are coming FROM the United States. It’s like the SolarWinds attacks, they aren’t coming from outside the USA, but inside. Thus geo blocking no longer works to keep the bad guys out.
Note this is no longer “limited attacks”. Many small businesses have been impacted as well.
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM. https://t.co/tdsYGFICML
— Microsoft Threat Intelligence (@MsftSecIntel) March 2, 2021
-
Microsoft Exchange 0day exploit code published
According to Thomas Claburn at The Reg:
Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.
Claburn goes on to reference Dirk-jan Mollema’s proof of concept post:
This blog combines a few known vulnerabilities and known protocol weaknesses into a new attack. There are 3 components which are combined to escalate from any user with a mailbox to Domain Admin access:
- Exchange Servers have (too) high privileges by default
- NTLM authentication is vulnerable to relay attacks
- Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server
Here’s where it gets thick. Er. Mollema claims his method allows an “attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”
Microsoft, however, has apparently weighed in on the elevation of privilege bug in CVE-2018-8581:
To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
And there’s the rub. The headlines make it sound like anybody with an Exchange mailbox can become a Domain Admin. The Microsoft CVE report (which, I assume, relates to the same bug) says that a man-in-the-middle attack is necessary.
Big difference.
Anybody know the details?
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
advice for setting up a new windows computer
by 4 hours, 34 minutes ago
-
It’s Identity Theft Day!
by 1 hour, 13 minutes ago
-
Android 15 require minimum 32GB of storage
by 9 hours, 24 minutes ago
-
Mac Mini 2018, iPhone 6s 2015 Are Now Vintage
by 9 hours, 33 minutes ago
-
Hertz says hackers stole customer credit card and driver’s license data
by 10 hours, 4 minutes ago
-
Firefox became sluggish
by 6 hours, 58 minutes ago
-
Windows 10 Build 19045.5794 (22H2) to Release Preview Channel
by 14 hours, 2 minutes ago
-
Windows 11 Insider Preview Build 22635.5235 (23H2) released to BETA
by 14 hours, 31 minutes ago
-
A Funny Thing Happened on the Way to the Forum
by 10 hours, 2 minutes ago
-
Download speeds only 0.3Mbps after 24H2 upgrade on WiFi and Ethernet
by 11 hours, 25 minutes ago
-
T-Mobile 5G Wireless Internet
by 3 hours, 23 minutes ago
-
Clock missing above calendar in Windows 10
by 3 hours, 57 minutes ago
-
Formula to Calculate Q1, Q2, Q3, or Q4 of the Year?
by 1 day, 5 hours ago
-
The time has come for AI-generated art
by 9 hours, 20 minutes ago
-
Hackers are using two-factor authentication to infect you
by 19 hours, 1 minute ago
-
23 and you
by 1 day, 2 hours ago
-
April’s deluge of patches
by 5 hours, 34 minutes ago
-
Windows 11 Windows Updater question
by 6 hours, 2 minutes ago
-
Key, Key, my kingdom for a Key!
by 2 days, 11 hours ago
-
Registry Patches for Windows 10
by 2 days, 15 hours ago
-
Cannot get line length to NOT wrap in Outlining in Word 365
by 1 day, 22 hours ago
-
DDU (Display Driver Uninstaller) updates
by 1 day, 7 hours ago
-
Align objects on a OneNote page
by 2 days, 21 hours ago
-
OneNote Send To button?
by 2 days, 21 hours ago
-
WU help needed with “Some settings are managed by your organization”
by 3 days, 6 hours ago
-
No Newsletters since 27 January
by 1 day, 10 hours ago
-
Linux Mint Debian Edition 7 gets OEM support, death of Ubuntu-based Mint ?
by 2 days, 6 hours ago
-
Windows Update “Areca Technology Corporation – System – 6.20.0.41”
by 2 days, 5 hours ago
-
Google One Storage Questions
by 1 day, 13 hours ago
-
Button Missing for Automatic Apps Updates
by 1 day, 20 hours ago
Remembering Woody
