Security News > 2022 > October > Patch Tuesday in brief – one 0-day fixed, but no patches for Exchange!

Two weeks ago we reported on two zero-days in Microsoft Exchange that had been reported to Microsoft three weeks before that by a Vietnamese company that claimed to have stumbled across the bugs on an incident response engagement on a customer's network.

One day ago [2022-10-11] was the latest Patch Tuesday.

This month's Microsoft patches cover 52 different parts of the Microsoft ecosystem, including several we'd never even heard of before.

There's still no fix for the E00F bugs, a week after we followed up on our article from a week before that about an initial report three weeks before that.

In other words, if you still have your own on-premises Exchange server, even if you're only running it as part of an active migration to Exchange Online, this month's Patch Tuesday hasn't brought you any Exchange relief, so make sure you are up-to-date with Microsoft's latest product mitigations, and that you know what detection and threat classification strings your cybersecurity vendor is using to warn you of potential ProxyNotShell/E00F attackers probing your network.

We're not aware of actual attacks using this bug, but information about how to abuse it was apparently known to potential attackers before the patch appeared.

News URL

https://nakedsecurity.sophos.com/2022/10/12/patch-tuesday-in-brief-one-0-day-fixed-but-no-patches-for-exchange/