Return to the list of client alerts
I don’t usually write about Microsoft Patch Tuesday, but this one is a bit of a mess.
First of all, they are patching 108 bugs. This is definitely on the large side, but not the largest ever.
More concerning is that they are patching 5 “zero-days”. One of which was already being used in attacks. Likely the other four will begin to be used in a couple of days.
Microsoft also patched four additional Exchange critical vulnerabilities for those companies still running on-premise Exchange servers. If this whole Exchange fiasco isn’t enough to make you migrate to Office 365, you might want to rethink that strategy. The zero-days are a combination of privilege escalation, denial of service and information disclosure.
CISA says that federal agencies have a deadline of Friday to patch their Exchange servers.
But that is not all.
The FBI got permission from a federal judge to reach in and delete malware from private companies Exchange Servers. That is a bit creepy. These are among the tens of thousands of Exchange servers that were infected and were not patched. Even if the patches were applied, if the hackers were already in there, the patch did not remove them. Also, if the FBI removes the malware but the users have not patched the servers, they will likely become infected again.
When you read the fine print, it is a little less scary, but only a little bit. What the FBI did is this: they sent targeted commands to Exchange servers being operated by private companies inside the U.S., using commands that the malware already had built in, which told the malware to delete itself. They did not inform the companies in advance.
I am sure that they felt this was safe, but what are the limits of what the government should be allowed to do to computers being run by private companies?
A less invasive but more complex solution would be to tell the Internet providers of these servers to block all traffic to and from the server. That would achieve the same result (stopping the malware and exfiltration of data), but it would require the FBI to coordinate with multiple Internet providers. Then the Internet providers would need to explain to their customers why their mail server was no longer working. The good news is that the Internet provider knows exactly who to call – the person they send the bill to. That is much harder for the FBI to do. It is a mess no matter what.
While I understand why the FBI did that, it seems like a really slippery slope. Especially since those companies did not even know that the FBI did that. They are trying to contact those companies now.
For more information on patch Tuesday, see this Bleeping Computer article.
For more information on the Exchange bugs, see this item from NSA via Bleeping Computer.
For more information on the FBI’s hacking exploits, click here.