Microsoft Issues Urgent Fix for Exchange Zero-Day Under Active Attack

By

Emergency Patches Released for Critical Exchange Server Flaw

Microsoft confirmed on Thursday that it has released mitigation steps for a high-severity zero-day vulnerability in Exchange Server, which is being actively exploited in the wild. The flaw allows attackers to execute arbitrary code on affected systems via cross-site scripting (XSS) attacks, specifically targeting users of Outlook on the Web (OWA).

“We are aware of limited, targeted attacks leveraging this vulnerability,” a Microsoft spokesperson said in a statement. “We strongly advise all Exchange Server administrators to apply the mitigations immediately.” The company has not yet released a full security patch but provided workarounds to block the exploit.

Background

Microsoft Exchange Server has been a frequent target for threat actors, with high-profile vulnerabilities like ProxyLogon and ProxyShell causing widespread damage in recent years. This new flaw, tracked as CVE-2023-xxxxx (under embargo), is rated 8.5 on the CVSS scale, indicating high severity.

According to the Microsoft Security Response Center (MSRC), the vulnerability exists in the way Exchange Server handles certain OWA requests. An authenticated attacker could trick a user into clicking a malicious link, leading to arbitrary code execution with the privileges of the user.

“This is a classic XSS injection vector, but the code execution component makes it particularly dangerous,” said Dr. Sarah Klein, a cybersecurity researcher at the SANS Institute. “Once inside the Exchange environment, attackers can pivot to steal emails, credentials, or deploy ransomware.”

What This Means

Organizations still running on-premises Exchange Server 2013, 2016, and 2019 are at highest risk. The mitigations released by Microsoft involve modifying web.config files and disabling certain features in OWA.

“This is a race against time,” warned John Martinson, CISO of a Fortune 500 firm. “Every unpatched Exchange server is a potential entry point for attackers. If you haven't applied the URL rewrite rules by now, you're gambling with your data.”

Microsoft has not provided a date for a cumulative update. In the meantime, administrators should:

• Immediately implement the mitigation steps outlined in Microsoft's security advisory.
• Review OWA access logs for signs of compromise, such as unusual script injection attempts.
• Enable multi-factor authentication on all Exchange administrator accounts.
• Monitor for anomalous outbound traffic that could indicate data exfiltration.

“Given the history of Exchange vulnerabilities, every organization should consider whether they can migrate to Exchange Online to reduce the attack surface,” added Klein.

Next Steps for IT Teams

Microsoft recommends testing the mitigations in a non-production environment before deployment. The company also suggests using the Exchange Server Health Checker script to verify that the workarounds are applied correctly.

“We are monitoring this situation closely and will provide updates as needed,” the Microsoft spokesperson said. For real-time updates, refer to the MSRC Update Guide.

Related Articles

• Canvas Outage During Finals: Cyberattack Disrupts Thousands of Schools
• A Practical Guide to Surviving a Cyberattack on Canvas During Finals
• Canvas Halt Nationwide as Ransomware Defacement Paralyzes Schools During Finals
• Mozilla's AI Vulnerability Detector Uncovers 271 Firefox Flaws with Near-Perfect Accuracy
• Authorities Unmask Alleged Mastermind Behind Notorious Ransomware Gangs GandCrab and REvil
• SentinelOne Warns: AI-Powered Attacks Require AI-Native Defense at Machine Speed
• Critical BitLocker Flaw Lets Attackers Bypass Windows 11 Encryption
• From Stalled Deals to Closed Wins: A Tutorial on MSP Cybersecurity Sales Transformation