There has been a disagreement between Microsoft and Trend Micro’s Zero Day Initiative over a series of zero-day vulnerabilities in Microsoft Exchange, causing confusion about the potential risks of these flaws. Trend Micro’s Zero Day Initiative (ZDI) disclosed four zero-day vulnerabilities in on-premises versions of Microsoft Exchange on November 2. These vulnerabilities include deserialization and remote code execution flaw ZDI-23-1578, server-side request forgery flaw ZDI-23-1581, SSRF flaw ZDI-23-1580, and SSRF flaw ZDI-23-1579. ZDI researcher Piotr Bazydło emphasized the seriousness of the SSRF issues, specifically ZDI-23-1581, in a blog post, where he highlighted that authenticated remote attackers could disclose sensitive information from a target’s Exchange inbox.
When ZDI disclosed the vulnerabilities, Microsoft responded by stating that the company had investigated the issues and concluded that they did not require immediate servicing. Microsoft shared the report with the team responsible for maintaining the product, indicating that potential future fixes would be considered. However, ZDI was not satisfied with this response as it was uncertain when or if the issues would be fixed. As a result, ZDI decided to publish a blog post for all four vulnerabilities, recommending that interactions with the application be restricted as a mitigation strategy.
Regarding one of the vulnerabilities, remote code execution flaw ZDI-23-1578, Microsoft told cybersecurity publication SecurityWeek that it had already been patched via August security updates. However, ZDI felt that Microsoft’s response was misleading because the fix only covered default configurations of Exchange, and the bug report covered non-default configuration scenarios. ZDI’s head of threat awareness, Dustin Childs, expressed concerns that many Exchange servers might still be vulnerable if their admins believed they were safe based on the patch.
Childs also argued that Microsoft downplayed the seriousness of the SSRF bugs, pointing out that they were worth addressing, as many Exchange servers could have compromised users who can authenticate. However, Microsoft responded by stating that the vulnerabilities disclosed by ZDI either did not meet the bar for immediate servicing under their severity classification guidelines or had already been addressed.
In light of these disagreements, Microsoft announced the Secure Future Initiative, a plan to better address software and vulnerability issues. As part of the initiative, Microsoft president Brad Smith emphasized the importance of encouraging more transparent reporting of vulnerabilities across the tech sector.
This disagreement between Microsoft and ZDI comes after months of public criticism of Microsoft’s handling of reported vulnerabilities, particularly in its cloud services. The security community has expressed concerns about Microsoft’s approach to addressing security issues and has been vocal about the need for transparency and consistent reporting in the tech industry.
Overall, the conflicting perspectives on the severity and urgency of the zero-day vulnerabilities in Microsoft Exchange have raised questions about the potential risks and the best methods for addressing them. As the security community continues to advocate for improved transparency and collaboration in addressing vulnerabilities, the industry will be closely monitoring how Microsoft and ZDI navigate these disagreements to ensure the security of users and systems.