Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎11-05-2023 09:00 PM
‎11-05-2023 09:00 PM

New Microsoft Exchange zero-days allow RCE, data theft attacks

HI All

 

Yet, another Microsoft Defrocking:

 

And no patch on the horizon for some time:

 

Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations.

The zero-day vulnerabilities were disclosed by Trend Micro's Zero Day Initiative (ZDI) yesterday, who reported them to Microsoft on September 7th and 8th, 2023.

 

https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-thef...

 

It makes the security framework a joke.

 

Regards

 

Caute_Cautim

Reply
1 Reply
JoePete
Advocate I
‎11-06-2023 08:16 AM
‎11-06-2023 08:16 AM

Microsoft's core values in regard to software development could be described as "more stuff, less clicks," is always better. If they built cars, they'd enable it to sprout wings or an outboard engine at the push of a button.

 

This is the way they've always perceived technology, often not even developing those wings, just buying someone else's and gluing them on. Conceptually, that is admirable creativity. A lot of times, they've pulled it off, but there is a fundamental risk that keeps manifesting in their desire to build an "ecosystem" rather just a really good OS (or application).

 

That part of my rant over, yes, these "zero days" require authentication. Quite honestly, I am not sure that qualifies as zero day. If can impersonate someone in an online system, there's a lot of novel stuff I can attempt. If I use someone's SMTP credentials to send a never-seen-before phishing email, does that email become a zero day?

 

Act II of rant over, I'll close with pondering how many times does corporate and government America need to have their thumbs smashed by the Microsoft hammer to think either "I need a new hammer" or "I should really learn how to use thing better."

Reply
0 Kudos