How to manage the two new Microsoft zero-day vulnerabilities

The CEO and founder of a stealthy startup recently told an audience at an In-Q-Tel event that the probability of one of the 100 Common Vulnerabilities and Exposures (CVE) listed in the Agency’s Catalog of Known Exploited Vulnerabilities Security Infrastructure and Cybersecurity (CISA) in active use is 2.5%.

This may not seem like a large number. But when an organization’s systems are subject to a known and publicized vulnerability, regulatory mandates may require that you mitigate that vulnerability within a certain timeframe, depending on its criticality.

On September 29, 2022, Microsoft reported two zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability allows an authenticated attacker, which then allows the authenticated attacker to remotely activate the other CVE: a remote code execution. (RCE) when the attacker can access PowerShell.

According to Microsoft, “authenticated access to the vulnerable Exchange server is necessary to successfully exploit any of the vulnerabilities.” However, organizations must respond quickly.

Mitigation steps

Per Microsoft’s instructions, Exchange Online customers do not need to take any action.

For those not using Exchange Online, the current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewriting -> Actions” to block known attack patterns. Exchange Server customers should review and choose only one of the following three options:

insurance considerations

Cyber ‚Äč‚Äčinsurers are reacting to the report of Exchange Server zero-day vulnerabilities. Among other questions, subscribers begin to ask:

1. Does the insured use local versions of Microsoft Exchange Server?

2. Has the insured applied the mitigation settings recommended by Microsoft?

3. Has the Assured reviewed their environment for indicators of compromise and can confirm that none were found?

4. If indicators of compromise were found, have they been remediated?

These and any known vulnerabilities should be addressed by your overall vulnerability and patch management program, which should monitor and alert you to identified vulnerabilities. This gives your organization the ability to analyze, prioritize, and address vulnerabilities to reduce exposures as efficiently and effectively as possible.

Other controls

Your ability to identify and mitigate known vulnerabilities is critical to protecting your organization from loss and catastrophic cyber events. Lockton recommends that all companies with potential vulnerabilities consider taking the following five actions:

  1. Patch the software now. Your criticality analysis can help you prioritize and focus your patching efforts across all key assets.

  2. Commit to backing up data on a regular cadence and keep the most up-to-date backup offline and offsite.

  3. Enable file extensions, making it easy to identify file types that are not typically sent to you and multiple users. Your IT department or managed service provider can run this for all users.

  4. Do not enable macros on attached documents received by email. Most infections rely on you to allow macros to execute their malicious intent.

  5. Beware of unsolicited attachments and train your workforce on how to spot unsolicited emails and attachments on their primary access devices such as mobile phones. Please note that such attachments may appear different on a computer screen than on a mobile phone screen.

For more information, please contact your Lockton advisor or email us at [email protected]

Leave a Comment