Microsoft has added a tool to its Defender antivirus software that automatically closes critical vulnerabilities in Microsoft Exchange Server. With this, the company hopes to reduce the number of vulnerable systems even faster.
The automatic tool focuses specifically on vulnerability CVE-2021-26855. This is one of the four vulnerabilities which attackers used to attack Exchange servers. It is the most important four because it allows initial access to the server. Attackers use the other three vulnerabilities to be able to spread further across a cracked network.
Vulnerability automatically patched
Because this tool becomes part of Windows Defender and System Center Endpoint Protection, it can be downloaded and installed without an administrator’s intervention. Even if the administrators have disabled Windows Update for whatever reason, it will still fix the most important vulnerability. This is provided that Defender can retrieve automatic updates, specifically version 1.333.747.0 or newer.
With the update, Defender also automatically checks whether attackers may have already compromised the system and attempts to reverse changes made by attackers, Microsoft says in a blog post. Microsoft emphasises that although this prevents the direct attack method, administrators must still install the other security patches themselves.
One-click mitigation tool
The functionality of the update corresponds broadly to the tool that Microsoft released last week to protect users from attackers. That tool closes the same vulnerability and also checks for possible indications of an attack. Microsoft recommends administrators who do not use Defender to use this tool to protect themselves against attacks.
More and more attackers jumping on exploits
More and more hacker groups appear to be exploiting the vulnerabilities in Exchange Server. It is thought that there are already more than ten, although this number is still increasing. The vulnerabilities are mainly used for ransomware attacks on small companies and government organisations. However, more extensive attacks are now being launched, as the ransomware attack on Acer also appears to have been facilitated by the vulnerabilities in Exchange Server.