Storagepipe Is Now Thrive

GridWay Is Now Thrive


Exchange Vulnerabilities Expose Microsoft’s Obstructive Patching Requirements

Exchange Vulnerabilities Expose Microsoft’s Obstructive Patching Requirements

The Microsoft Exchange Server attack, which was publicly disclosed by Microsoft on March 2nd, was thoroughly explained by my colleague Eric Hasenstab in his blog post.  If you have not read it, please do so as it provides an excellent summary of the attack itself along with Thrive’s response to it.  The intent of this post is to do a slightly deeper dive into Microsoft’s Exchange Server patching policies which led to unfortunate worldwide delays in the rollout of patches to address these vulnerabilities.

When Microsoft announced the vulnerabilities on March 2nd, many people overlooked a small detail in the patching prerequisites.  The critical security patches were only available for supported versions of Exchange CUs (Cumulative Update).  So, what is an Exchange CU?  First and foremost, it is not a patch and cannot be deployed via automated patching services like Windows Updates.  Per Microsoft, an Exchange CU “is a full installation of Exchange that includes all updates and changes from previous CUs.”

Microsoft leverages this Cumulative Update servicing model for all current versions of Exchange.