Emergency Patches Released for Critical Exchange Server Flaw
Microsoft confirmed on Thursday that it has released mitigation steps for a high-severity zero-day vulnerability in Exchange Server, which is being actively exploited in the wild. The flaw allows attackers to execute arbitrary code on affected systems via cross-site scripting (XSS) attacks, specifically targeting users of Outlook on the Web (OWA).
“We are aware of limited, targeted attacks leveraging this vulnerability,” a Microsoft spokesperson said in a statement. “We strongly advise all Exchange Server administrators to apply the mitigations immediately.” The company has not yet released a full security patch but provided workarounds to block the exploit.
Background
Microsoft Exchange Server has been a frequent target for threat actors, with high-profile vulnerabilities like ProxyLogon and ProxyShell causing widespread damage in recent years. This new flaw, tracked as CVE-2023-xxxxx (under embargo), is rated 8.5 on the CVSS scale, indicating high severity.
According to the Microsoft Security Response Center (MSRC), the vulnerability exists in the way Exchange Server handles certain OWA requests. An authenticated attacker could trick a user into clicking a malicious link, leading to arbitrary code execution with the privileges of the user.
“This is a classic XSS injection vector, but the code execution component makes it particularly dangerous,” said Dr. Sarah Klein, a cybersecurity researcher at the SANS Institute. “Once inside the Exchange environment, attackers can pivot to steal emails, credentials, or deploy ransomware.”
What This Means
Organizations still running on-premises Exchange Server 2013, 2016, and 2019 are at highest risk. The mitigations released by Microsoft involve modifying web.config files and disabling certain features in OWA.
“This is a race against time,” warned John Martinson, CISO of a Fortune 500 firm. “Every unpatched Exchange server is a potential entry point for attackers. If you haven't applied the URL rewrite rules by now, you're gambling with your data.”
Microsoft has not provided a date for a cumulative update. In the meantime, administrators should:
- Immediately implement the mitigation steps outlined in Microsoft's security advisory.
- Review OWA access logs for signs of compromise, such as unusual script injection attempts.
- Enable multi-factor authentication on all Exchange administrator accounts.
- Monitor for anomalous outbound traffic that could indicate data exfiltration.
“Given the history of Exchange vulnerabilities, every organization should consider whether they can migrate to Exchange Online to reduce the attack surface,” added Klein.
Next Steps for IT Teams
Microsoft recommends testing the mitigations in a non-production environment before deployment. The company also suggests using the Exchange Server Health Checker script to verify that the workarounds are applied correctly.
“We are monitoring this situation closely and will provide updates as needed,” the Microsoft spokesperson said. For real-time updates, refer to the MSRC Update Guide.