Security for Exchange and SharePoint

Update March 2021: This post relates to issues found in Jan 2021. A new, more serious set of security issues have been found in March 2021. See Tony Redmond’s post on the topic for more information.

Microsoft recently released several security updates for Exchange Server and SharePoint Server to mitigate against proof-of-concept flaws in all recent versions of the product, including Exchange Server 2010, which left support in October – supposedly never to receive security patches again.

These updates should indicate the severity of the issues discovered. Although little has been published so far about this, Steven Seeley from Source Incite, who identified the vulnerability and reported it to Microsoft, explained that the flaw allows an attacker with low-privilege credentials (e.g., a user mailbox) to elevate to the SYSTEM account on the Exchange Server and retrieve information.

The vulnerabilities are not limited to one type either – and affect Exchange Web Services on Exchange 2016 and 2019, and the way information is retrieved via XML for OWA for Exchange 2013, 2016, and 2019.

On SharePoint Server 2010 to 2019 – which is less frequently installed on-premises but still a target, a similar XML-based exploit can be used and detected by the same researcher.

Less information is available about the Exchange Server 2010 exploit, which appears to be vulnerable by using the Exchange Management Shell. According to Microsoft, this can be exploited by using cmdlet arguments by an authenticated user. Most importantly, Microsoft considered this serious enough to release a new update rollup to resolve.

Exchange Server Patches

Download updates for Exchange Server below. You’ll find links to the relevant CVEs on each page.

SharePoint Server Patches

Finally, you’ll find links to updates for SharePoint Foundation and SharePoint Server below, again alongside the relevant CVEs.

If you have any questions, please let us know in the comment section.

About the Author

Steve Goodman

Chief Editor for Audio and Video Content and Technology Writer for Practical 365, focused on Microsoft 365. A nine-time Microsoft MVP, author of several Exchange Server books and regular conference speaker, including at Microsoft conferences including Ignite, TechEd and Future Decoded. Steve has worked with Microsoft technology for over 20 years beginning and has been writing about Exchange and the earliest iterations of Office 365 since its inception. Steve helps customers plan their digital transformation journey and gets hands on with Microsoft Teams, Exchange and Identity projects.

Leave a Reply