The critical security update for Exchange that Microsoft released on Feb. 11 has not yet been installed on a large number of servers.This means a great risk, as servers can be completely taken over via this vulnerability.
An attacker only needs access to a user's e-mail account on the server. From there, he can execute arbitrary code with system privileges, and thus intercept and manipulate e-mail traffic, among other things. A week ago, the first attacks actively exploiting the security hole were discovered.
Security firm Kenna Security investigated how quickly organizations were rolling out the Exchange patch. Researcher Jonathan Cran saw that less than 15 percent had the Exchange update installed. Cran also used a dataset of Outlook Web Access (OWA) servers collected through search engine BinaryEdge. It covers 220,000 publicly accessible OWA servers, 74 percent of which were found to be vulnerable. According to Cran, this may be because Exchange plays an important role within organizations. Therefore, it cannot, or should not, be easily updated.
"Drop everything and patch this vulnerability immediately," the researcher advises. "Right now, this vulnerability poses a greater risk than most other vulnerabilities in the enterprise environment."
See also: Vulnerabilities in MS Exchange Server
This news item can also be found in the Information Security file
