Exchange News

This week saw some critical cumulative updates for Exchange 2016 and Exchange 2019. These new updates contain the security patches previously released on March 2nd. Organizations that apply these cumulative updates don’t need to install the previous security patch.

The exception to this is those organizations on Exchange 2010 or Exchange 2013, where no update has superseded the March 2nd security patch. Those on Exchange 2010 and 2013 must ensure that they have the March 2nd patch applied as soon as possible.

The updates are as follows:

Exchange 2019 Cumulative Update 9 | KB4602570

Exchange 2016 Cumulative Update 20 | KB4602569 | UM Language Pack

Exchange 2013 Security Update | KB5000871 (March 2nd Security Patch)

Exchange 2010 SP3 Rollup 32 | KB5000978 (March 2nd Security Patch)

Tackling the March 2nd security exploits

It is imperative to protect yourself from the exploits published on March 2nd. HAFNIUM, a cyberespionage group with ties to the Chinese government, has leveraged these Exchange Server exploits to infiltrate victims’ networks to deliver malware and other malicious payloads with varying motives, primarily to exfiltrate confidential data.

First, patching is imperative.

• Those on Exchange 2016 or 2019 should apply the latest cumulative update.
• Those on Exchange 2013 will need to install Cumulative Update 23 (released June 2019), followed by the March 2nd, 2021 security patch.
• Those on Exchange 2010 need to install rollup 32.

Note: On March 8th Microsoft updated the security patch allowing it to be installed on older cumulative updates. This aided organizations that could not yet upgrade to the latest cumulative update. Note that applying the security patch and then upgrading to an older CU (rather than the latest) will expose your organization to the exploits again.

Once you are fully patched, I recommend running the Microsoft Safety Scanner (also known as the Microsoft Emergency Response Tool), which detects and remediates all known malware. This is a self-executing program that can be downloaded here.

I recommend running a full system scan. Note that it takes a few hours to run a scan, and it may spike your CPU, so it’s best to do this during a maintenance window. If you have a database availability group, consider putting the server into maintenance mode so that you can run the scanner with zero user impact.

Last week was a big week for Exchange. Microsoft released its eighth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. Security updates have been released for Exchange 2010 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 8 | KB4588885

Exchange 2016 Cumulative Update 19 | KB4588884 | UM Language Pack

Exchange 2013 December Security Patch | KB4593466

Exchange 2010 SP3 Rollup 31 | KB4593467

Exchange 2016 entered extended support on October 14th

Back in October, Exchange 2016 entered extended support. The March 2021 cumulative update (CU20) is the last planned feature update for Exchange 2016. Any cumulative update after 20 is at Microsoft’s discretion.

Security patches will continue to be available in extended support until October 14th, 2025, delivered primarily through the Security Update Guide.