Security News > 2023 > October > Microsoft Exchange gets ‘better’ patch to mitigate critical bug
The Exchange Team asked admins to deploy a new and "Better" patch for a critical Microsoft Exchange Server vulnerability initially addressed in August.
Tracked as CVE-2023-21709 and patched during August 2023 Patch Tuesday, the security flaw enables unauthenticated attackers to escalate privileges on unpatched Exchange servers in low-complexity attacks that don't require user interaction.
"In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft encourages the use of strong passwords that are more difficult for an attacker to brute force," Microsoft explained.
As part of this month's Patch Tuesday, Microsoft has now released a new security update that fully addresses the CVE-2023-21709 flaw and doesn't require any additional steps.
The October 2023 Patch Tuesday security updates patched 104 flaws, 12 rated critical and three tagged as zero-day vulnerabilities actively exploited in attacks.
Microsoft refused to patch one of them, a Skype for Business Elevation of Privilege Vulnerability tracked as CVE-2023-41763 and disclosed by Dr. Florian Hauser in September 2022, until today, even though attackers can exploit it to gain access to systems on internal networks.
News URL
Related news
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- June 2024 Patch Tuesday forecast: Multiple announcements from Microsoft (source)
- Exploit for critical Veeam auth bypass available, patch now (source)
- Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs (source)
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability (source)
- Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others (source)
- Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus (source)
- Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-10 | CVE-2023-41763 | Unspecified vulnerability in Microsoft Skype for Business Server 2015/2019 Skype for Business Elevation of Privilege Vulnerability | 5.3 |
| 2023-08-08 | CVE-2023-21709 | Improper Restriction of Excessive Authentication Attempts vulnerability in Microsoft Exchange Server 2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 9.8 |