Today's topic is Exchange 2010, which reaches end of support (EoS) on Oct. 13, 2020, as well as a survey of other versions of Exchange and how well they are being kept up-to-date. During our work with Project Sonar, we consistently see the use of old and EoS software on the internet. This is generally a cause for concern, because this typically means that vulnerabilities will not be fixed. It is also an indicator that the environment the software is running in has other security issues.
The key takeaways from this post are:
Organizations running Exchange 2010 and earlier should upgrade to supported technology as soon as possible.
Organizations running Exchange 2013 should begin planning to upgrade to newer technologies.
Statistically speaking, most organizations running any version of Exchange are missing updates for critical vulnerabilities.
Before I move on, I want to point out that our numbers here will be fairly accurate, but not perfect. This is due to a couple of factors: First, the method that we use to fingerprint Exchange OWA allows us to determine the Exchange version down to .., but we cannot see the revision. For example, for Exchange Server 2019 Cumulative Update (CU) 7, with the latest updates the build number is 15.2.721.2, but we only see 15.2.721. This means that we can tell that the server is running 2019 CU7, but we can't be sure whether this month's patches were installed. Second, and most frustrating, is that Microsoft's updates don't always adjust the version number shown by tooling. Even Microsoft's own Exchange Admin Center and Get-ExchangeServer command will report incorrect versions in many instances.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
< ..
Support the originator by clicking the read the rest link below.
