Endless vulnerabilities. Widespread hacking campaigns. Slow and technically tough patching. It’s time to say goodbye to on-premise Exchange.
Reasonable people who once cared about security, privacy, and reliability ran their own email servers.
Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable teams at companies like Google and Microsoft.
Now, cyber security experts argue that a similar switch is long overdue for many government and business networks.
For enterprises that use on-premise Microsoft Exchange, still running their own email machine in a closet or data center, it’s time for a cloud service.
This will help avoid the years-long plague of bugs in Exchange servers, which have made it nearly impossible to keep determined hackers out.
Taiwanese cyber security researcher Orange Tsai details security vulnerabilities in Microsoft Exchange.
Tsaipublished blog post earlier this week warning Microsoft about this vulnerability as early as June 2021.
Microsoft responded by releasing some partial fixes, it took 14 months to fully resolve the underlying security problem.
Earlier, Tsai reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts.
According to the timeline described, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability.
Microsoft assured Tsai four times that it would patch the bug but ended up pushing off a full patch for months longer.
When Microsoft finally released a fix, it still required manual activation and lacked any documentation for four more months.
Meanwhile, another pair of actively exploited vulnerabilities in Exchange were revealed last month still remain unpatched.
After researchers showed that Microsoft’s initial attempts to fix the flaws had failed.
Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code.
Even when Microsoft does release Exchange patches, they’re not widely implemented, it’s a time-consuming technical process to install.
The result of these compounding problems: Microsoft Exchange Server is itself a security vulnerability, and the fix is to get rid of it.
“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI).
ZDI pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition.
“You’re not getting support for security fixes that you would expect from a really mission-critical component of your infrastructure.”
Childs points to another 20 security flaws in Exchange that a researcher reported to ZDI, who reported to Microsoft two weeks ago, and which remain unpatched.
“Exchange right now has a very broad attack surface, and it just hasn’t had a lot of really comprehensive work done on it in years from a security perspective,” says Childs.
Aanchal Gupta, the corporate vice president of Microsoft Security Response Center (MSRC), responded with an exhaustive list of measures the company has taken to mitigate, patch, and harden on-premise Exchange servers.
She noted that Microsoft quickly released updates in response to Tsai’s findings to partially block the vulnerabilities he exposed before the company released the full fix in August.
Gupta further wrote that MSRC “worked around the clock” to help customers update their Exchange servers in the midst of last year’s Hafnium attacks, and released numerous security updates for Exchange over the year.
Microsoft even launched an Exchange Emergency Mitigation service, which helps customers automatically apply security mitigations to block known attacks on Exchange servers even before a full patch is available.
Still, Gupta agreed that most customers should move from on-premise Exchange servers to Microsoft’s cloud-based email service, Exchange Online.
“We strongly recommend customers migrate to the cloud to take advantage of real-time security and instant updates to help keep their systems protected from the latest threats,” Gupta said in an emailed statement.
“Our work to support on-premises customers to move to a supported and up-to-date version continues, and we strongly advise customers who cannot keep these systems up to date to migrate to the cloud.”
Cloud migration is necessary. Email administrators are, in fact, having trouble keeping Exchange fully patched.
Trend Micro’s Childs says that’s due largely to the complexity of actually installing Exchange updates.
This is due to both the age of its code and the risks of breaking functionality by changing interdependent mechanisms in the software.
Security researcher Kevin Beaumont, for instance, recently live-tweeted his own experience of updating an Exchange server.
Documenting countless bugs, crashes, and hiccups in the process, which took him nearly three hours, despite the fact the server had last been updated just a few months earlier.
“It’s a difficult and arduous process, so even though there are active attacks, people just don’t patch their on-premise Exchange,” says Childs.
“So there are patched bugs that are taking forever to get fixed, and also unpatched bugs that have yet to get fixed.”
Another problem with Exchange security is that vulnerabilities found in its software are often easy to exploit.
Exchange bugs aren’t any more common than, say, vulnerabilities in Microsoft’s Remote Desktop Protocol, says Marcus Hutchins, an analyst for security firm Kryptos Logic.
However, they’re far more reliable to use because, despite the fact that an Exchange server hosts email locally, it’s accessed through a web service.
Passing commands through an online interface to a web server is a far more reliable form of hacking than methods like so-called memory corruption vulnerabilities, which have to alter data in a lower-level and less predictable portion of a targeted machine.
“It’s basically very fancy web exploitation,” says Hutchins. “It’s not something that’s going to crash the server if you do it wrong. It’s very stable and simple.”
That exploitability is compounded by what seems to be Microsoft’s increasing inattention to maintaining the security of on-premise Exchange in favor of its cloud-based email service, 365 Exchange Online.
Microsoft itself recommended that customers disable “legacy” authentication for Exchange—using industry jargon for outdated and often unsupported features—without acknowledging that there was no alternative form of authentication available.
Microsoft no doubt wants customers to switch to its cloud based services, and seems to have shifted its security resources accordingly.
While some users may prefer or even require that their email be hosted locally rather than in the cloud for legal or privacy issues.
Enterprises that rely on the security of controlling the Exchange server themselves need to reckon with the fact they’re likely introducing more risks than they’re avoiding.
We get it, you want to run on-prem for control reasons, but you have to start evaluating this as a liability, and that’s because Microsoft is not putting effort and resources into patching.
The proof is in the pudding, this code base is not getting the love that it clearly and desperately needs.
If Microsoft isn’t giving that love to your Exchange server, perhaps Exchange no longer deserves your love, either.