Microsoft on Tuesday released patches for three versions of its Exchange Server email and calendar software that companies use in local data centers, and the federal government has ordered all agencies to install them, warning that vulnerabilities that fit “pose an unacceptable risk to the federal company and require immediate, emergency action.”
The updates come a month after Microsoft took action to respond to attacks on other Exchange Server flaws, which the company said had been exploited by Chinese hackers. But unlike last time, Microsoft said in a blog post that it has yet to observe exploits of the newly discovered holes.
However, widespread use of Exchange and the importance of email in general have encouraged the federal government to sound the alarm.
In a directive Tuesday, the U.S. Security and Cybersecurity Agency noted that these vulnerabilities “are different from those disclosed and resolved in March 2021” and ordered all government agencies to deploy the patches before Friday.
“Given the powerful privileges that Exchange handles by default and the amount of potentially sensitive information that is stored on Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are ‘main goal of the opposing activity,’ CISA wrote. “This determination is based on the likelihood that the vulnerabilities will be armed, combined with widespread use of the affected software across the executive branch and high potential for a commitment to the integrity and confidentiality of the agency’s information.”
The new patches apply to the 2013, 2016, and 2019 versions of Exchange Server.
The company said organizations using the cloud-based Exchange Online service included in Microsoft 365 subscription packages are already protected.
Microsoft gave credit to the U.S. National Security Agency for reporting the new vulnerabilities.