More than a week after researchers publicly disclosed two critical zero-day vulnerabilities, Microsoft continues to work on a security patch that will protect Microsoft Exchange Server from malicious attacks against thousands of vulnerable customers worldwide.
In the meantime, Microsoft has had to repeatedly revise interim mitigation steps designed to protect customers against malicious attacks.
Security researchers have repeatedly called out the company as attackers and researchers have been able to successfully bypass suggested changes, placing additional Exchange Server customers at risk.
Security researcher Kevin Beaumont, who has been tracking the Exchange Server case closely since retweeting the original disclosures from Vietnam-based GTSC, noted that Microsoft has repeatedly updated its guidance without acknowledging prior failures to prevent attacker bypass.
After posting updates to its URL Rewrite guidance on Oct. 4, Microsoft on Wednesday posted another update to its URL Rewrite rules for preventing further attacks stemming from the Microsoft Exchange server zero days.
Microsoft updated the mitigation steps for its Exchange Emergency Mitigation Service (EEMS) rules and the Exchange On-Premises Mitigation Tool (EOMTv2) rule, which are two of the three recommended options to block additional attacks.
The company had to provide specific steps because it has yet to make a patch available for on-premises Exchange Server customers who are vulnerable to attack.
“Patches take time to develop,” Erik Nost, senior analyst at Forrester, said via email. “Temporary mitigation measures are just that – temporary, until a root cause can be identified and a patch is developed and tested.”
Nost cautioned that releasing a patch before it is fully tested and functional can just introduce additional security and availability problems.
“We often see the same zero day or vulnerability pop up after a patch is available because the patch did not address the root cause. Vendors are addressing the symptom, not the problem,” Nost added.
Microsoft Thursday posted an update to EOMTv2, which asks customers to remove an extra space in the script, however the company says that did not impact functionality.
When asked about the repeated updates in guidance and the lack of a patch, an outside firm representing Microsoft referred back to the posted mitigation steps and said the company would be posting updated guidance as needed.
Researchers at GreyNoise have been tracking for malicious IP addresses targeting the vulnerabilities, which researchers have dubbed ProxyNotShell. There were a total of 26 as of Thursday afternoon.