Yesterday, Microsoft issued its monthly security bulletin. This time around, the bulletin also includes a fix for a vulnerability that affects only Exchange 2013 environments.
More specifically, MS15-064 addresses three potential issues:
-
Exchange Server-Side Request Forgery Vulnerability – CVE-2015-1764
-
Exchange Cross-Site Request Forgery Vulnerability – CVE-2015-1771
-
Exchange HTML Injection Vulnerability - CVE-2015-2359
To make a long story short: under the right circumstances an attacker could elevate privileges and use that to launch an attack on the Exchange Servers or other servers that would otherwise not be exposed to the internet. Those could be servers in the same network as the Exchange servers. It should be noted that an attacker would not be able to do so without a little help from your users. According to the information in the bulletin, a user must be lured to a malicious web page from where the attacker can exploit vulnerability using a forged request (Server-Side Request Forgery (SSRF)).
It goes without saying that a lot of the pain can be avoided by properly educating your users. But recent events have proven that this is easier said than done. Modern phishing attacks can be really hard to detect. Often, highly-ranking individuals in the organization are targeted, hoping to reveal a maximum of (personal) information in the attack. It's no wonder that Microsoft invests heavily in features such as the newly introduced "Advanced Threat Protection" which can help prevent information disclosure (or worse) through phishing attacks by providing time-of-click protection against malicious links through its "Safe links" capability.
Given that Microsoft has ranked the security update as "important", there is enough reason for you to take a look at it and deploy it at the earliest convenience. As always, make sure to test what you will be deploying in production.
Securing your Exchange Server environment is more than just deploying security patches. There's other things to consider too. For instance, take a look at Dave Stork's recent blog post in which he explains how security protocols and ciphers matter to your Exchange Server's baseline security. Well worth the read!
Cheers,
Michael