Wednesday, April 14, 2021

NSA alerts Microsoft to "critical vulnerabilities" in email app

Olivia Gazis 
AP
4/13/2021

The National Security Agency (NSA) said Tuesday that it had alerted Microsoft to "a series of critical vulnerabilities" in the Microsoft Exchange email application, prompting the company to issue a new patch.

© Omar Marques / SOPA Images/Sipa USA via AP Images ap21051160570564.jpg

In a blog post, Microsoft said it had "not seen" the vulnerabilities used against its customers, but urged users to install timely updates.

"[G]iven recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats," the company said, in a reference to an earlier disclosure, made in March, that suspected Chinese hackers had exploited different Exchange server flaws to spy on thousands of U.S. organizations.

Deputy national security adviser for Cyber and Emerging Technology Anne Neuberger, who has been leading the U.S. government's response to both the prior Exchange hack and the SolarWinds cyber espionage campaign attributed to Russia, said in a statement that all federal agencies were being required to "immediately patch" their Exchange servers.

"Should these vulnerabilities evolve into a major incident, we will manage the incident in partnership with the private sector, building on the Unified Coordination Group processes" that were established to deal with the earlier Exchange hack, Neuberger said.

Lawmakers and private cybersecurity experts have been urging the administration to take swifter action to shore up the country's cyber infrastructure and defenses. On Monday the Biden administration named two senior-level cyber officials – both NSA veterans – to new posts.

Former NSA Deputy Director Chris Inglis was nominated to serve as the country's first national cyber director and Jen Easterly, a former intelligence officer at the NSA, to head the Cybersecurity and Infrastructure Security Agency, which is housed in the Department of Homeland Security.

Disclosing software flaws is a relatively new practice for the NSA, which in the past would collect and keep secret vulnerabilities for its own use in intelligence gathering. But in January 2020, the agency identified a critical vulnerability in Microsoft Windows 10; it said at the time that its disclosure was an effort to "build trust" with its partners and the public.

"NSA values partnership in the cybersecurity community," an NSA spokesperson said Tuesday. "We are continuing the partnership by urging application of the patches immediately."

Rob Joyce, who recently replaced Neuberger as the director of the NSA's Cybersecurity Directorate, likewise urged entities using the Exchange application to patch as soon as possible.

"Cybersecurity is national security," Joyce said. "Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors."

"Don't give them the opportunity to exploit this vulnerability on your system," he said


Government agencies must update Microsoft Exchange as feds warn of 'unacceptable' security risk

Jordan Novet 
CNBC

4/13/2021

Microsoft on Tuesday issued new patches for the 2013, 2016 and 2019 versions of Exchange.

CISA ordered all federal agencies to deploy the patches by Friday, saying the vulnerabilities pose an "unacceptable" risk.

Unlike patches issued in March, which fixed gaps that had been exploited by Chinese hackers, Microsoft said it is not aware of exploits of these new vulnerabi
lities.

© Provided by CNBC

Microsoft on Tuesday released patches for three versions of its Exchange Server email and calendar software that companies use in on-premises data centers, and the federal government has ordered all agencies to install them, warning that the vulnerabilities being patched "pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action."

The updates come a month after Microsoft took action to respond to attacks on other flaws in Exchange Server, which the company said had been exploited by Chinese hackers. But unlike last time, Microsoft said in a blog post it has not yet observed exploits of the newly discovered holes.

Nonetheless, the widespread usage of Exchange, and the importance of email in general, has spurred the federal government to sound the alarm.

In a Tuesday directive, the U.S. Cybersecurity and Infrastructure Security Agency noted that these vulnerabilities are "different from the ones disclosed and fixed in March 2021" and ordered all government agencies to deploy the patches before Friday.

"Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity," CISA wrote. "This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information."

The new patches apply to the 2013, 2016 and 2019 versions of Exchange Server.

The company said organizations using the cloud-based Exchange Online service included in Microsoft 365 subscription bundles is already protected.

Microsoft gave credit to the U.S. National Security Agency for reporting the new vulnerabilities.

No comments: