Security News > 2022 > August > Microsoft: Exchange ‘Extended Protection’ needed to fully patch new bugs
Microsoft says that some of the Exchange Server flaws addressed as part of the August 2022 Patch Tuesday also require admins to manually enable Extended Protection on affected servers to fully block attacks.
Remote attackers can exploit these Exchange bugs to escalate privileges in low-complexity attacks after tricking targets into visiting a malicious server using phishing emails or chat messages.
Microsoft says that admins also need to enable Extended Protection after applying today's security updates to make sure that threat actors won't be able to breach vulnerable servers.
"Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack," Redmond said in advisories published Tuesday.
A script provided by Microsoft is available to enable this feature, but admins are advised to "Carefully" evaluate their environments and review the issues mentioned in the script documentation before toggling it on their Exchange servers.
Since Redmond has also tagged all three Exchange vulnerabilities as "Exploitation More Likely," admins should patch these flaws as soon as possible.
News URL
Related news
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)