The National Security Agency on Tuesday said it alerted Microsoft to a fresh batch of critical vulnerabilities that hackers could exploit to remotely compromise the Exchange Server email software program.
Microsoft said that it hadn’t see any hacks using the vulnerabilities on its customers, but the news comes at a time of heightened concern over bugs in Exchange Server. Microsoft on March 2 revealed that suspected Chinese spies had exploited another set of flaws in Exchange Server to siphon off emails from targeted U.S. organizations. A bevy of opportunistic cybercriminals proceeded to exploit those vulnerabilities, to which tens of thousands of U.S. businesses and state and local organizations were reportedly exposed.
The latest software bugs that the NSA discovered are in the 2013, 2016 and 2019 versions of Exchange Server. Microsoft said that the vulnerabilities, if exploited, could allow an attacker to execute code remotely on a target computer. Like the vulnerabilities disclosed a month ago, they affect organizations that run Exchange on their own digital premises, as opposed to those that use cloud computing services.
Following the announcement, the Department of Homeland Security’s cybersecurity agency ordered federal civilian agencies to apply the Exchange Server software fixes by the end of Thursday.
“[G]iven recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats,” Microsoft said in a blog post on Tuesday.
Rob Joyce, NSA’s director of cybersecurity, echoed that sense of urgency.
“Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors,” Joyce said. “Don’t give them the opportunity to exploit this vulnerability on your system.”
As one of the world most powerful spy agencies, the NSA routinely has to decide whether to disclose software bugs it finds to protect U.S. companies, or to keep them for intelligence-gathering operations overseas.
Lately, the agency has been more public about its discovery of software flaws for defensive purposes. In January 2020, for example, the NSA and Microsoft revealed a critical flaw in the Microsoft Windows operating system and urged organizations to apply a security fix.
“The U.S. government carefully weighs the national security, public and commercial interests in deciding to disclose a vulnerability,” said Anne Neuberger, a former NSA official who is now deputy national security adviser for cyber and emerging technologies. “Moreover, we recognize when vulnerabilities may pose such a systemic risk that they require expedited disclosure.”
Also Tuesday, Kaspersky said it found a previously unknown exploit of Microsoft’s Desktop Window Manager in use, possibly by several different hacker groups. It would allow attackers to execute arbitrary code on a victim’s device. Microsoft issued a patch for the vulnerability as well.
Tim Starks contributed to this article.