Security Bits Logo no alpha channel

Security Bits — 2 October 2022

Feedback & Followups

  • 🇺🇦 🇷🇺 To comply with international sanctions on Russia over its invasion and annexation of Ukraine, Apple have removed a major Russian app from VK from all app stores —…

Deep Dive — A Pair of Microsoft Exchange Zero-days

If your organisation runs its own Exchange server, it’s time to buy your sysadmin another coffee! ☕️

A pair of zero-day bugs have been found that can be chained together to allow an attacker to turn an Exchange username and password into arbitrary code execution on the Exchange server. Note that if 2FA is enabled, it’s bypassed!

When you log in to a system with 2FA the system first verifies your username and password, and then it runs some code to challenge the user for their second factor. All code is written by humans, and all humans make mistakes, so it’s possible for a bug to sneak into this code that sits between the first and second factors. This is called a mid-authentication vulnerability, and that’s what we’re dealing with here.

What this means is that the vulnerability is nowhere near as catastrophic as it would be if it didn’t require authentication at all, but it’s still a lot worse than you might think at first glance because all an attacker needs to compromise a server is one valid username and password pair. When you think about how many people reuse passwords, how many password breaches there have been, and how many people fall for phishing scams, suddenly having the entire security of your mail infrastructure resting on your weakest username+password combination doesn’t feel so secure after all!

These are true zero-day bugs. They were reported to Microsoft a month ago, and because there is still no fix, the security researcher released some basic details to alert the world to the problem, and Microsoft then released an advisory recommending a temporary workaround while they work on a patch.

Any organisation running their own Exchange server needs to apply the workaround ASAP!


❗ Action Alerts

Worthy Warnings

  • 🇦🇺 The large Australian telco Optus has suffered a massive data breach, with 20M records (name, DOB, cellphone number & government-issued ID (serial) number) being stolen by the attackers —… (No payment details so biggest threats are ID theft and targeted phishing)

Notable News

Top Tips

Interesting Insights

Palate Cleansers

  • We hit an Asteroid 😀


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top