[German]A brief note and heads up for administrators of Microsoft Exchange on-premises systems. Reserve some time today (05/11/2021) to patch Exchange servers. If the available information is correct, Microsoft is rolling out a critical hotfix for Microsoft Exchange Server in the coming hours (around 10:00 a.m. PST), which should be installed promptly.
Here in the blog you can find articles about security vulnerabilities in Exchange, which have not been patched yet. Blog reader Thomas B. just contacted me by mail and sent the following information (thanks for that).
if I am informed correctly, tomorrow morning at 1000 another critical security hotfix will be officially released by Microsoft for Exchange Server.
According to my information it is so critical that it should be installed very soon.
I hope my information is correct. In any case, we have already taken all precautions, also with regard to personnel resources, so that we can roll it out to customers immediately.
Just my 2 cents,
The time stamp should refer to Pacific Standard Time (PST), which is about 19:00 German time – and "tomorrow morning" means May 11, 2021 (patchday at Microsoft). The above note though vague, possibly Tom is subject to a confidentiality agreement. But you should keep your eyes open today in this regard. My guess is, that the bugs hinted at in the blog post PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight? may be addressed. If any details come to your attention, leave a comment – I'll post more details as soon as possible and details are available.
Details may be found within the blog post Security Updates (KB5003435) for Microsoft Exchange Server (May 11, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Server Security Update KB5001779 (April 13, 2021)
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
PoC for Microsoft Exchange bug discovered by NSA public
Cookies helps to fund this blog: Cookie settings