Microsoft released three new patches for its Exchange Server software on Tuesday after the National Security Agency (NSA) alerted the company to a fresh batch of critical vulnerabilities.
The new fixes are for three versions of Exchange Server - 2013, 2016 and 2019 - and the flaws are said to be different vulnerabilities to the ones disclosed in March. However, US agencies continue to find and remove vulnerabilities in their systems a month after the previous flaws were first discovered.
In response to the release of new fixes, the White House ordered all its agencies to install them, warning that the vulnerabilities "pose an unacceptable risk" to Federal operations.
Microsoft's Exchange Server email and calendar software is mostly used in on-premise data centres. The popularity of the system was highlighted by the number of reported breaches the followed the discovery of the initial flaws.
"Microsoft released a set of Exchange patches today that are critical," a White House statement read. "We urge all owners and operators of Microsoft Exchange Servers to apply these latest patches immediately. The US government will lead by example - we are requiring all agencies to immediately patch their Exchange servers, as well."
RELATED RESOURCE
The business guide to ransomware
Everything you need to know to keep your company afloat
Exchange Server vulnerabilities have caused issues for a number of organisations around the world, with many servers having already been breached and still vulnerable via embedded back doors. China state-sponsored hacking group Hafnium was spotted by Microsoft using the vulnerability to break into Exchange Servers to view or steal contents.
These vulnerabilities were patched by Microsoft, but backdoors embedded in breached servers were not closed. Within a few days, other hacking groups began hitting compromised servers with the same flaws to deploy ransomware.
As a result, a US court has had to authorise an FBI operation to "copy and remove" backdoors from hundreds of Exchange Servers. The Justice Department said the operation was "successful", but it only removed backdoors and did not patch the vulnerabilities exploited by the hackers or remove any malware that may have been left behind.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Intranet and employee experience platformswhitepaper Reviews of the best products on the market
-
Webinar: Foster high-quality embedded software developmentwhitepaper Discover the latest trends and pain points of platform engineering in embedded software
-
Platform engineering 2024: Fostering high-quality embedded software developmentwhitepaper Enhance your organization’s platform engineering strategy
-
AMD and DoiT partner to help Google Cloud customers maximise performanceNews The collaboration also aims to reduce costs and improve the security of cloud workloads running on Epyc
-
Comparing serverless and server-based technologiesWhitepaper Determining the total cost of ownership
-
Microsoft Teams suffers its second outage this monthNews The global outage is preventing users from logging in and sending messages
-
What is HTTP Error 400 and how do you fix it?In-depth Learn practical tips and solutions for diagnosing and resolving the common HTTP 400 Bad Request error in web browsers.
