There’s good and bad news about the Microsoft Exchange server zero-day exploit • Graham Cluley


There's good and bad news about the Microsoft Exchange server zero-day exploit

Good news!

Microsoft may not yet have released a proper patch for the two new zero-day vulnerabilities that have been exploited in “limited targeted attacks” against Microsoft Exchange users, but it has published mitigations which can help protect your organisation.

Bad news!

Sign up to our newsletter
Security news, advice, and tips.

Security researchers have found Microsoft’s mitigations can be bypassed.

Here’s a video from researcher Will Dormann where he offers a demonstration of how it’s possible to waltz around the CVE-2022-41040 and CVE-2022-41082 vulnerability mitigations has offered.

However, there’s additional good news in that it is not possible for an unauthenticated user to exploit the security holes remotely, meaning that any hacker who wants to attack your Exchange server will need to have already broken into one of your users’ accounts, or for a user who is connected to Exchange to have had their computer infected by malware that exploits the flaw.

Furthermore, reports so far have suggested that the attacks have relied upon PowerShell commands being triggered, and so blocking TCP ports 5985 and 5986 on your Exchange server will limit the possibility of attacks.

All the same, good news and bad news aside, it would be great if Microsoft could release a proper working security patch as soon as possible.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.