Exchange Vulnerabilities Expose Microsoft’s Obstructive Patching Requirements

The Microsoft Exchange Server attack, which was publicly disclosed by Microsoft on March 2^nd, was thoroughly explained by my colleague Eric Hasenstab in his blog post.  If you have not read it, please do so as it provides an excellent summary of the attack itself along with Thrive’s response to it.  The intent of this post is to do a slightly deeper dive into Microsoft’s Exchange Server patching policies which led to unfortunate worldwide delays in the rollout of patches to address these vulnerabilities.

When Microsoft announced the vulnerabilities on March 2^nd, many people overlooked a small detail in the patching prerequisites.  The critical security patches were only available for supported versions of Exchange CUs (Cumulative Update).  So, what is an Exchange CU?  First and foremost, it is not a patch and cannot be deployed via automated patching services like Windows Updates.  Per Microsoft, an Exchange CU “is a full installation of Exchange that includes all updates and changes from previous CUs.”

Microsoft leverages this Cumulative Update servicing model for all current versions of Exchange.  The CUs are released quarterly and are supported for an additional 3 months after the release of the latest CU.  Essentially, any Exchange CU is supported by Microsoft for 6 months after its release.  Once an Exchange CU reaches end of support it is no longer eligible to receive any monthly Exchange security patches which are released outside of the quarterly CU schedule.

To further compound the difficulty of maintaining a current Exchange CU, the installation requires significant downtime and risk to server stability.  Since it is a full installation of Exchange, downtime can exceed 4 hours and potentially result in long-term outages if the installation fails.  As such, it is exceedingly difficult for organizations to keep their Exchange CUs current.  Microsoft finally acknowledged this reality a full week after disclosing the vulnerability by releasing security patches for all Exchange CUs.  Unfortunately, by this time countless servers were already exposed to malicious activity from state sponsored threat actors and criminal organizations.

To recap:

• Microsoft originally released security patches only for supported Exchange CUs
• A CU isn’t a patch and requires a full reinstallation of Exchange
• A CU installation is at best disruptive and at worst hazardous to server stability
• A CU is only supported for 6 months after its release
• Microsoft took an entire week to release security patches for older CUs

If its not clear by now, there is only one reasonable solution to maintaining a stable and secure Exchange Server. Migrate your business off Exchange Server to a Cloud-based solution and transfer the patching responsibility to the Cloud provider.

To this end, Thrive has a team dedicated to Exchange migrations that can seamlessly transition your organization to the email Cloud solution which best meets the needs of your business. Contact us to learn more.