Attention! Four new vulnerabilities in Exchange Server mail software!
by Svenja Koch
Microsoft once again has to close security vulnerabilities in its Exchange Server email software with an update. The software company published updates for Exchange versions 2013, 2016, and 2019 on April 13, 2021 - these were also affected by vulnerabilities that Microsoft had already closed with an update in March 2021. The tip-off about Microsoft's renewed security problems came from the US intelligence service "National Security Agency" (NSA). Microsoft spokespersons explained that they were not currently aware of any malware that was already exploiting the gaps - but the company nevertheless recommended that the updates be installed immediately. Microsoft closed more than 100 vulnerabilities in the package of security updates, including in the Windows operating system, its Edge web browser, and Office office programs.
In the US, the White House also directed government agencies to immediately update their email servers. Deputy Security Advisor Anne Neuberger stressed that the US government had reported the vulnerability to Microsoft because of its responsibility.
According to estimates by IT security experts, tens of thousands of email servers worldwide were attacked via the Exchange vulnerabilities, which initially became known in March. Among other things, the attackers exploited the time delay resulting from the manual installation of the updates - and for this, not all Exchange customers reacted immediately.
Recommendations for action
The BSI strongly recommends installing the security updates provided by Microsoft.