Microsoft was aware of the vulns for 2 months before issuing a patch.<p>Some of the vulns existed in the Exchange codebase for 10 years.<p>Microsoft faces perverse incentives. When their customers get compromised, Microsoft benefits from accelerated upgrades and cloud subscriptions.<p>Yet their customers blame foreign threat actors and not Microsoft, so Microsoft suffers no reputational damage.<p>With these incentives, why would any rational corporation spend resources hardening their software or responding rapidly to new disclosures?
Something interesting I learned when looking into all of this is that if you have a large environment (2000+ mailboxes) and transition to Exchange Online, Microsoft still (since 2010) has no idea on how to fully decommission your Exchange Server environment, since you need at least 1 to facilitate on-prem AD connectivity (which isn’t true if you didn’t have a hybrid environment). So even if you transitioned to the cloud, you may not have been safe.<p><a href="https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange" rel="nofollow">https://docs.microsoft.com/en-us/exchange/decommission-on-pr...</a>
So like, was the vuln more or less made widely known at some point? This feels like the scope grew so large because many groups obtained the 0day before Microsoft expected it to go wide, which is not what folks seem to have expected.<p>It'd be interesting to see more info in the timeline about when that might have happened. Just feels like this info is entirely based on what the research community was seeing, not based on any info from the adversary side of this event (not that collecting that kind of data is easy, so fair enough).
I don't understand how anyone thinks Exchange can still be used ... just setting it up without obviously choosing any obviously insecure settings somewhere in the stack while also trying to support the actual needs of a diverse set of users (without even considering the presence of unpatched vulnerabilities and required patching spedds) probably exceeds the IT capabilities of 99% of corporations.
this article is a tire fire and even links to the exploitation of a different exchange bug<p>i don't see an issue here<p>microsoft patched a bug within a 90-day disclosure timeline and even released patched before the agreed date when it learned they were exploited<p>why is krebs making a big deal out of it