Exchange News

Last month Microsoft released cumulative updates for Exchange 2016 and Exchange 2019. Once you get the September cumulative updates, be sure to grab the security updates released in October.

While Exchange 2013 did not have a cumulative update, it did receive a security update, which can be applied to Exchange 2013 Cumulative Update 23.

A security update was not released for Exchange 2010. The latest update for Exchange 2010 is still Rollup 32 (March 2nd, 2021). Keep in mind that Exchange 2010 was out of support as of October 13th, 2020.

If you need guidance on migrating from a specific CU to the latest, check out Microsoft’s Exchange Update Wizard for step-by-step instructions.

The updates are as follows:

Exchange 2019 Cumulative Update 11 | KB5005334 | October Security Update

Exchange 2016 Cumulative Update 22 | KB5005333 | October Security Update

Exchange 2013 October Security Update | KB5007011

The new Microsoft Exchange Emergency Mitigation Service

As a response to the HAFNIUM exploits the Exchange team developed a new Exchange Emergency Mitigation service to be included with Exchange Server. Emergency Mitigation is a new Windows service that is deployed by the Exchange Server setup utility.

It is effectively a built-in version of the previously released standalone Emergency Online Mitigation Tool (EOMT) that administrators could run on-demand. The standalone tool was a way for administrators to apply interim remediation until they could apply the needed patches.

In much the same way the Emergency Mitigation Service checks the Office Config Service (OCS) for new mitigation XMLs every hour. It then applies the interim remediation specified in the XML file. The mitigation service can apply the following three actions.

• Block malicious patterns in HTTP requests via the IIS URL rewrite service
• Disable vulnerable Exchange services
• Disable vulnerable App Pools in IIS

Should you accidentally undo any mitigations, restart the Emergency Mitigation Service on the Exchange Server. Within 10 minutes the service will check OCS for the latest XML and reapply any mitigations.

At the time of writing, only a test XML file exists at the Office Config Service for heartbeat purposes. That said, your Exchange Server now requires an outbound connection to https://officeclient.microsoft.com to access these mitigation XML files. To verify Exchange can reach the Office Config Service, you can leverage the Test-MitigationServiceConnectivity.ps1 script located in the Exchange scripts folder.

Once you apply a cumulative or security update that addresses the vulnerability, you will need to manually undo any actions taken by the Emergency Mitigation Service.

This week saw some critical cumulative updates for Exchange 2016 and Exchange 2019. These new updates contain the security patches previously released on March 2nd. Organizations that apply these cumulative updates don’t need to install the previous security patch.

The exception to this is those organizations on Exchange 2010 or Exchange 2013, where no update has superseded the March 2nd security patch. Those on Exchange 2010 and 2013 must ensure that they have the March 2nd patch applied as soon as possible.

The updates are as follows:

Exchange 2019 Cumulative Update 9 | KB4602570

Exchange 2016 Cumulative Update 20 | KB4602569 | UM Language Pack

Exchange 2013 Security Update | KB5000871 (March 2nd Security Patch)

Exchange 2010 SP3 Rollup 32 | KB5000978 (March 2nd Security Patch)

Tackling the March 2nd security exploits

It is imperative to protect yourself from the exploits published on March 2nd. HAFNIUM, a cyberespionage group with ties to the Chinese government, has leveraged these Exchange Server exploits to infiltrate victims’ networks to deliver malware and other malicious payloads with varying motives, primarily to exfiltrate confidential data.

First, patching is imperative.

• Those on Exchange 2016 or 2019 should apply the latest cumulative update.
• Those on Exchange 2013 will need to install Cumulative Update 23 (released June 2019), followed by the March 2nd, 2021 security patch.
• Those on Exchange 2010 need to install rollup 32.

Note: On March 8th Microsoft updated the security patch allowing it to be installed on older cumulative updates. This aided organizations that could not yet upgrade to the latest cumulative update. Note that applying the security patch and then upgrading to an older CU (rather than the latest) will expose your organization to the exploits again.

Once you are fully patched, I recommend running the Microsoft Safety Scanner (also known as the Microsoft Emergency Response Tool), which detects and remediates all known malware. This is a self-executing program that can be downloaded here.

I recommend running a full system scan. Note that it takes a few hours to run a scan, and it may spike your CPU, so it’s best to do this during a maintenance window. If you have a database availability group, consider putting the server into maintenance mode so that you can run the scanner with zero user impact.

Last week was a big week for Exchange. Microsoft released its eighth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. Security updates have been released for Exchange 2010 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 8 | KB4588885

Exchange 2016 Cumulative Update 19 | KB4588884 | UM Language Pack

Exchange 2013 December Security Patch | KB4593466

Exchange 2010 SP3 Rollup 31 | KB4593467

Exchange 2016 entered extended support on October 14th

Back in October, Exchange 2016 entered extended support. The March 2021 cumulative update (CU20) is the last planned feature update for Exchange 2016. Any cumulative update after 20 is at Microsoft’s discretion.

Security patches will continue to be available in extended support until October 14th, 2025, delivered primarily through the Security Update Guide.