Microsoft Says Exchange ‘Zero Days’ Disclosed by ZDI Already Patched or Not Urgent

Microsoft says four Exchange vulnerabilities disclosed by Trend Micro’s Zero Day Initiative (ZDI) last week have either already been patched or they don’t require immediate attention.

ZDI disclosed the existence of four high-severity Exchange vulnerabilities identified by the company’s Piotr Bazydlo after being informed by Microsoft that the issues do not require immediate servicing. According to ZDI, the flaws were reported to the tech giant in early September. 

ZDI’s advisories have been published with a ‘zero-day’ status, but the vulnerabilities are not actual zero-days as there is no indication that they have been exploited in the wild and there is no public technical information or PoC code that would increase their chances of getting exploited in the near future. 

Moreover, exploiting the vulnerabilities requires authentication, which further decreases their chances of being leveraged in malicious attacks.

According to ZDI, one of the vulnerabilities, tracked as ZDI-23-1578 — CVE identifiers have yet to be assigned to these flaws — is a data deserialization issue that allows remote code execution. 

“The specific flaw exists within the ChainedSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM,” ZDI explained in its advisory. 

Microsoft told SecurityWeek that this vulnerability has actually been patched. Customers who have applied the August security updates are already protected, the tech giant said. 

The remaining issues have been described as server-side request forgery (SSRF) flaws that can lead to information disclosure

Advertisement. Scroll to continue reading.

For each of these security holes, Microsoft pointed out that exploitation requires prior access to email credentials. For two of the flaws, the company also noted that no evidence was presented that they can be leveraged to gain elevation of privilege or access to sensitive customer information.

“We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we’re committed to taking the necessary steps to help protect customers. We’ve reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate,” a Microsoft spokesperson told SecurityWeek.

ZDI says in its advisories that given the nature of the vulnerabilities, “the only salient mitigation strategy is to restrict interaction with the application”.

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Exchange Server 2013 Reaches End of Support

Related: Microsoft Urges Customers to Patch Exchange Servers