By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant
We’re alerting our higher education technology community that yesterday’s (1/11/2022) Microsoft Patch Tuesday released critical security updates for Exchange and Windows OS that addresses several serious security vulnerabilities.
In the updates there are fixes for 97 total vulnerabilities, 9 of these are remote code exploits (RCE), 6 of them are classed as Zero-Day, and 1 of them is Wormable.
A wormable exploit means that it could self-propagate through a network with no user interaction. This vulnerability exploits how the OS processes unauthenticated HTTP traffic and carries a severity rating of 9.8 on a scale of 10. Windows Server 2019 and 2022, plus Windows 10 and 11 are affected.
Microsoft suggests patching all affected Windows versions as soon as possible, publicly facing servers with open HTTP and HTTPS ports are the most critical. The security updates for Exchange affect 2013, 2016, and 2019 and this includes hybrid servers for Office 365.
The update has only been released for the latest Cumulative Update (CU) for Exchange Server 2013 (CU23), and the last two CUs for 2016 (CU21 and CU22) and 2019 (CU10 and CU11). This means you will need to patch to one of these CUs before being able to apply this security update.
If you have any questions or need assistance, please click here.
For your reference, click here to read the Microsoft Exchange Team posted a blog about the update and patch process.