New Critical Security Update for Exchange Server

/

Microsoft has just released a critical out-of-band Security Update for all Exchange Server versions, referred to as the March 2021 Security Update for Exchange Server. It is highly recommended to apply this Security Update to all your Exchange Servers as soon as possible.

Installing the Security Update

To apply the new Security Update (KB5000871), the Exchange Servers need to be on the latest Cumulative Update (CU) or for Exchange 2010 Rollup Update (RU).

The Security Update is available for the following Exchange Server versions – with download links:

Download the Security Update for the specific version, your Exchange Servers are running.

So if your Exchange Servers are not on one of the above Exchange versions, it is important to update your Exchange Servers first, before you can install the Security Update.

To install the Security Update, run the installer from an elevated command prompt, to prevent any issues during installation.

My experience with installing the Security Update is that it can take anything between 15 min to 1 hour to apply, depending on the server og Exchange version.

Remember to restart your servers, after applying each update.

Jeff Guillet has also made a good blog post on how to update:

Official Information about the vulnerability and the update

Microsoft EMEA held a webcast about the Out-of-Band update and the incident, which can be found here:

The slide deck from the webcast, with info and instructions can be found here:

The official Exchange Team Blog post about the Security Update:

Read more in this Microsoft blog post, about how to detect the vulnerbility using Endpoint Defender or Azure Sentinel:

There is already a ton of great information available, for further information on the actual vulnerbility, some of these great resources are:

Confirm Security Update Install

If you want to confirm, that the Security Update (KB5000871) has been installed on all the Exchange Servers in your environment, you can run the following PowerShell from the Exchange Management Shell:

Get-ExchangeServer | % { Invoke-Command -ComputerName $_.name -ScriptBlock { Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*KB5000871*" }}} | select pscomputername, Displayname | sort pscomputername | ft

Mitigation

Microsoft has posted some great information on mitigation of the vulnerability here: