Microsoft on Tuesday released patches for three versions of its Exchange Server email and calendar software that companies use in on-premises data centers. The federal government has ordered all agencies to install these and warns that the patched vulnerabilities pose an unacceptable risk to the federal company and require immediate and immediate action. “
The updates come a month after Microsoft took action to respond to attacks on other bugs in Exchange Server that the company claims were being exploited by Chinese hackers. But unlike last time, Microsoft said in a blog post that it had not seen any exploits of the newly discovered holes.
However, the widespread use of Exchange and the importance of email in general has caused the federal government to sound the alarm.
In a policy released Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency stated that these vulnerabilities “are different from those revealed and fixed in March 2021,” and urged all government agencies to deploy the patches before Friday.
“Given the powerful permissions that Exchange manages by default and the amount of potentially sensitive information stored on Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a prime target for adversary activity “wrote CISA. “This finding is based on the likelihood that the vulnerabilities will be armed, combined with the widespread use of the affected software across the executive branch and the high potential for a compromise between integrity and confidentiality of agency information.”
The new patches apply to the 2013, 2016, and 2019 versions of Exchange Server.
The company stated that organizations using the cloud-based Exchange Online service included in Microsoft 365 subscription bundles are already protected.
Microsoft has approved the US National Security Agency to report the new security vulnerabilities.