Microsoft provides organizations and businesses with custom mitigation for two actively attacked zero-day vulnerabilities in Exchange Server. The previous mitigation turned out to be easy to circumvent. Security updates for the two vulnerabilities are still not available.
Last week, Microsoft warned of two vulnerabilities that attackers are actively exploiting to compromise Exchange servers, and for which security updates are still not available. The attacks are known to have been taking place since August. However, Microsoft came up with temporary mitigation measures, including a URL rewrite to detect and block certain patterns in requests.
As a result, the attacks now observed should no longer work. However, Microsoft's URL rewrite turned out to be easy to get around, a security researcher named Jang discovered. Just modifying one character was enough. Microsoft has now modified the relevant strings that are part of the URL rewrite, which should prevent abuse again.
For organizations using the Exchange Emergency Mitigation Service (EEMS), the new URL rewrite will be installed automatically. In the event of an actively attacked vulnerability, a mitigation can be automatically installed via EEMS to protect the server against attacks. The Exchange Emergency Mitigation checks every hour for new mitigations.
Microsoft emphasizes that Exchange Emergency Mitigation is intended as a temporary measure for customers until they can install a security update that fixes the attacked vulnerability. EEMS is therefore not a replacement for installing patches, according to Microsoft. When the security update for the two vulnerabilities will be released is still unknown. Next Tuesday, October 11, is Microsoft's regular patch Tuesday.