A new feature called the Microsoft Exchange Emergency Mitigation (EM) service will automatically install temporary mitigations that block active exploitation of security flaws until Microsoft releases official patches. Microsoft Exchange mail servers have been targeted in hacking campaigns over the past couple of years where multiple zero-day vulnerabilities were exploited and administrators had no patch or mitigation information available.
EM will automatically be installed on servers after installation of the September 2021 Cumulative Updates (CUs) for Exchange servers. The EM service can apply three types of mitigations:
- IIS URL Rewrite Rule Mitigation: a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server.
- Exchange Service Mitigation: disables a vulnerable service on an Exchange server.
- App Pool Mitigation: disables a vulnerable app pool on an Exchange server.
The Microsoft Exchange team said last week that “since in the future mitigations may be released at any time, we chose to have the EM service check for mitigations hourly.” The EM service is one of the first security features that can automatically deploy temporary fixes until a permanent/official fix is available.
Analyst Notes
Security features like this indicate that Microsoft understands Exchange servers will continue to be a hot target and without patch and/or mitigation information, administrators have a difficult time mitigating these vulnerabilities themselves. While administrators can disable the EM service if they don’t want Microsoft applying mitigations automatically, it is highly recommended that the EM service stays enabled. Microsoft also allows for admins to control applied mitigations using PowerShell cmdlets and scripts for viewing, reapplying, blocking, or removing mitigations without disabling the entire service.
References:
https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-service-mitigates-high-risk-bugs-automatically/?&web_view=true
https://therecord.media/microsoft-adds-novel-feature-to-exchange-servers-to-allow-it-to-deploy-emergency-temporary-fixes/
