Microsoft on Tuesday released patches for three versions of its Exchange Server email and calendar software that companies use in local data centers, and the federal government has ordered all agencies to install them, warning that vulnerabilities that are “poses a risk to the federal enterprise and requires immediate and urgent action.”
The updates come a month after Microsoft took action to respond to attacks on other Exchange Server flaws, which the company said were exploited by Chinese hackers. But unlike last time, Microsoft said in a blog post that it has not yet noticed the exploitation of the newly discovered holes.
However, the widespread use of the Exchange and the importance of e-mail in general have led the federal government to sound the alarm.
In a directive on Tuesday, the US Cybersecurity and Infrastructure Agency said the vulnerabilities were “different from those revealed and remedied in March 2021” and ordered all government agencies to patch up before Friday.
“Given the strong privileges that Exchange implicitly manages and the amount of potentially sensitive information that is stored on Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adverse activity.” wrote CISA. “This determination is based on the likelihood of vulnerabilities being armed, combined with the widespread use of the affected software across the executive branch and the high potential for compromising the integrity and confidentiality of the agency’s information.”
The new patches apply to the 2013, 2016, and 2019 versions of Exchange Server.
The company said organizations that use the cloud-based Exchange Online service included in Microsoft 365 subscription packages are already protected.
Microsoft has given credit to the US National Security Agency for reporting new vulnerabilities.