Security Watch

Keeping Track of patches and hacks in the IT security world.

Exchange Patch Could Bring E-Mail Hell

Download the authoritative guide:

Microsoft is issuing a critical security bulletin for Exchange on next week's Patch Tuesday that's likely to leave some employees squawking and without e-mail midweek.

"There hasn't been an Exchange [patch] for awhile," Don Leatham, director of solutions and strategy at PatchLink, said in an interview. "I think [for] a lot of the smaller or medium-sized organizations that are used to just waiting til the weekend to do anything with Exchange, we'll have to wait to see what the severity of this [update] is, especially since Exchange is such a critical communication [medium]."

Exchange is a crucial, pervasive part of the day to many organizations. Not all organizations have necessarily thought through how to bring e-mail down and back up in the middle of week, Leatham said—especially in the case of organizations big enough to be global but small enough to not have invested dollars in high-availability technology.

"They could have people in Singapore and the UK and America all running off one Exchange server and they've beefed it up and it's handling a fairly big amount of people, but now where do I take it down and patch it?" Leatham said. "If there's something especially big in the wild that comes out immediately after this is announced, [companies are] going to have to rethink how [to] handle this."

If the Exchange vulnerability to be patched on Tuesday has to do with remote code execution, and if it's a vulnerability to worm attack, it will have serious ramifications on companies' patching schedules. The lesson here: All IT departments should be taking special notice of the update pertaining to Exchange.

One PatchLink customer, Richard Linke, agreed. "Exchange always brings a multitude of complexities into the environment," said Linke, an independent security consultant and former global security manager at Kraft Foods. "It's the same philosophy as [data centers]: You can't take all [the Exchange servers] out at once, or everybody winds up not being able to do mail."

Linke will be overseeing the update of 36 Exchange servers around the world after Microsoft sends out its security advisory on May 8. As far as the other security and non-security updates go, he's looking at updating 5,000 servers.

Linke's planning to follow the sun with the updates. "[We'll] notify regions of what times [we'll] plan to do it. As the sun rises in one place, [we'll make sure the] Exchange group server is done," he said.

Australia's his typical guinea pig, given that it's got a smaller customer base. "You have to pick one part of the region or country or both and take your best shot there," he said.

Linke uses PatchLink to distribute responsibility for updating. He allocates regional servers to a team that updates that portion. Those who control servers in Latin America, for example, are given centralized control over that region, while Linke oversees all regions globally, centralized in one location.

As soon as the patches are out in raw format from Microsoft, Linke's team will use PatchLink's PDK (PatchLink Developers' Kit) to create a customized and configured version of the patch. By 1:30 a.m. on Patch Tuesdays, his team is already distributing packages to test users. In this case, he'll likely have five test users set up, one for each product family that will be updated: Windows, Office, Exchange, BizTalk and Microsoft's CAPICOM encryption technology.

The Office updates are the stickiest, he said. That's because they ship for such a variety of operating systems and versions. Linke's clientele run mixed environments, with a mishmash of Windows versions. So even though Microsoft is saying it will ship three Office security updates in this coming release, that could easily balloon into nine to 12 patches, depending on what the components of the updates are, he said.

"They say [the updates are for] Office. Is it for the suite, plus a plug-in for Excel, plus odds and ends for Word?" he said.

At any rate, it's "always amusing" to get Microsoft prerelease notifications, Linke said, with the company's advance notice on broad categories of what's going to be updated topped off by an utter lack of details.

"It's like the weatherman saying there's a chance of extreme thunderstorms ... soon," he said. "You don't know when until it comes out."

Also coming next week is a patch for the Domain Name System vulnerability. Exploits of the vulnerability began to appear in mid-April and were still multiplying at least a week later, although Microsoft claimed that attacks never became widespread.

Linke hardened his servers, but in spite of DNS vulnerability exploits in the wild, he resisted workarounds. He said he "almost never" would do anything "drastic" of that nature. "When they announce those vulnerabilities and say, 'You've got to look here and there [to amend a system], but if you make a drastic change to the infrastructure, the ramifications are unknown ... it's better to wait for [the official security update] and monitor what's going on around the world. I pay attention to SANS and other security organizations."

As far as third-party patches go, Linke said, he's seen plenty of people caught with their pants down, having to undo a third-party patch to use the vendor-issued patch.

"I see activity. I still have my ear on the rail," he said. "My ear can come off the rail on Tuesday if they address [the DNS] issue."