Your Microsoft Exchange server is a security liability

In the past, reasonable people who cared about security, privacy and reliability ran their own mail servers. Today, the vast majority host their personal email in the cloud, shifting this substantial burden to the skilled security and engineering teams at companies such as Google and Microsoft. Today, cybersecurity experts say a similar shift is overdue — or long overdue — for enterprise and government networks. For companies that use Microsoft Exchange on-premises, while running their own email machine somewhere in a closet or data center, now is the time to move to a cloud service, if only to avoid the scourge of bugs that have been going on for years in Exchange servers. made it nearly impossible to keep determined hackers out.

The latest reminder of this struggle came earlier this week, when Taiwanese security researcher Orange Tsai published a blog post detailing details of a security vulnerability in Microsoft Exchange. Tsai notified Microsoft of this vulnerability as early as June 2021, and although the company responded by releasing partial fixes, it took Microsoft 14 months to fully fix the underlying security issue. Tsai previously reported a related vulnerability in Exchange that was heavily exploited by Chinese state-sponsored hackers known as Hafnium, who last year penetrated more than 30,000 targets, according to some figures. Yet, according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the new variant of this same vulnerability, assuring Tsai no less than four times that it would fix the bug before pushing back a patch. complete for months more. When Microsoft finally released a patch, Tsai wrote, it still required manual activation and lacked documentation for another four months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to patch the flaws had failed. These vulnerabilities were just the latest in a long line of security bugs in Exchange’s code. And even when Microsoft releases Exchange fixes, they are often not widely implemented, due to the tedious technical process of installing them.

The result of these compounding problems, for many who have seen the hacker-induced headaches mount up when running an Exchange Server, is a pretty clear message: an Exchange Server is inherently a security vulnerability, and the solution is to get rid of it.

“You have to leave Exchange on-premises forever. That’s the bottom line,” says Dustin Childs, threat awareness manager at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers to find and reporting vulnerabilities in commonly used software and running the Pwn2Own hacking contest “You’re not getting the security patch support you expect from a truly critical component of your infrastructure.”

In addition to the multiple vulnerabilities exposed by Orange Tsai and the two actively exploited unpatched bugs disclosed last month, Childs reports 20 other security vulnerabilities in Exchange that a researcher reported to ZDI, which ZDI, in turn, reported to Microsoft two weeks ago, and which remain unpatched. “Right now, Exchange has a very large attack surface, and there just hasn’t been a lot of really comprehensive work done in years from a security perspective,” Childs says.