[TheRecord] Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes

Microsoft will roll out tomorrow a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years.

Called the Microsoft Exchange Emergency Mitigation (EM) service, the new feature works by automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches.

The EM service will be enabled by default for all Exchange servers once they install the September 2021 Cumulative Updates (CUs) for Exchange servers, which are shipping out tomorrow, after Microsoft delayed their release last week to have more time to work on it.

Under the hood, the feature will work by connecting to the Office Config Service (OCS) and downloading mitigations (in the form of XML rules) from the following URL:


These mitigations contain three types of configuration changes:

IIS URL Rewrite rule mitigation. This is a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server.Exchange service mitigation. This disables a vulnerable service on an Exchange server.App Pool mitigation This disables a vulnerable app pool on an Exchange server.

Once Microsoft detects a new attack, it will push out temporary mitigations via EM to all Exchange servers around the world and begin working on a software patch.

“Since in the future mitigations may be released at any time, we chose to have the EM service check for mitigations hourly,” the Microsoft Exchange team said last week.

For Exchange servers that are installed in highly secured environments, Microsoft is also providing a way to disable the EM service and let administrators apply mitigations by hand or by using the Exchange On-premises Mitigation Tool (EOMT).

Instructions on disabling the EM service are available on this documentation page.

The EM service is one of the first-of-its-kind security features that can automatically deploy temporary fixes to a software app until a permanent fix is available.

Several security experts lauded Microsoft last week for its forward-thinking when it came to addressing the problem of deploying mitigations, most of which are complex configuration changes that typically need to be applied by hand. Furthermore, many are often applied incorrectly or are left incomplete when users accidentally skip or miss a step, leaving their systems still vulnerable to attacks.

This a Big Deal. A huge deal. The September CU for on-prem Exchange Server will install an Emergency Mitigations feature that, by default, will automatically apply mitigations released for the most dangerous Exchange vulns.

Bravo. Other vendors take note. https://t.co/3ShavhUwxi

— Brian in Pittsburgh (@arekfurt) September 25, 2021

The post Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Remote print server gives anyone Windows admin privileges on a PC

A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a device simply by installing a print driver. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] In a Hybrid Workplace, Men Are More Likely to Engage in Risky Behavior Than Women: Study

All posts, Security Week

The likelihood of a complete return to the office post-pandemic is low; the probability of an ongoing hybrid home/office work environment is much higher. Security teams will need to continue and possibly expand their plans to secure remote personal devices operating in a hostile environment perhaps indefinitely. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2021-05-03

Pulse Secure fixes VPN zero-day used to hack high-value targets www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/ Apple releases fixes for three WebKit zero-days, additional patches for a fourth therecord.media/apple-releases-fixes-for-three-webkit-zero-days-additional-patches-for-a-fourth/ Spam and phishing in Q1 2021 securelist.com/spam-and-phishing-in-q1-2021/102018/ Several instances of scammers using the COVID-19 pandemic as a lure. See article for screenshots of the phishing campaigns. Spearphishing Attack Uses COVID-21 Lure […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.