I remember this kind of thing happening all the time in the 90s and part of the 00s... It's just 10 to 1000 times worse now days since EVERYTHING is online now.
Chris Kerbs was definitely not the US CISO. He was the director of CISA, the Cybersecurity and Infrastructure Security Agency. CISO of the US is usually a meaningless figurehead, Krebs actually did things.
Yeah I just had an awkward conversation with a relative who works for a company that has a on site email server running exchange. When I asked him had he patched or upgraded it he said no Microsoft does all that. Grim.
Unfortunately "moving to Office 365" for many organisations doesn't get rid of Exchange. Microsoft's article on "how and when" is basically a list of reasons you might be stuck with it.
> However, we have put little effort into how to get you from a hybrid configuration to the cloud only.
It's hilarious to see someone at Microsoft say the quiet part out loud.
Next thing you know they'll admit in writing that they have no plans for supporting Azure AD tenant to tenant trusts. Or, for that matter, tenant to tenant migrations as well...
I mean, think about it: Who would want that? Nobody with a KPI of on-prem to cloud migrations at Microsoft headquarters, certainly!
Yep, getting 365 means you still end up hosting your own stuff, also paying Microsoft to host copies of it, and basically doubling your attack surface.
Even if you move to O365/Exchange Online, you’ll likely always have some Exchange footprint. The only way to get around this is to migrate your AD to Azure.
Just like after the Experian hack, Experian ramped up their commercials for their paid Identity Theft Protection service. I was seeing their commercials every hour.
But that’s only an MTA i hear you cry, Exchange does both MTA & MDA! Bear with me.
Postfix is software to learn from. It might be written in C but the architecture is the epitome of beautiful modular design. It’s not just the meticulous separation of concerns, the care and attention to detail, everything from string handling to memory management is pristinely handled. https://github.com/vdukhovni/postfix
Even at runtime the beauty of the architecture allows for a sysadmin to choose (via master.cf) exactly how the components should be composed to fit their needs. The defaults are crafted for minimum fuss if you just need to get it running ASAP. The software is ergonomic in addition to being artfully crafted.
So what does all this care and attention get you? Only 9 CVEs in 22 years, only 3 of which are code exec, only 2 of which are (maybe) remote code exec, only 1 of which is unauth user RCE - but very hard in practice to exploit.
Maybe it’s just not that popular? It was 1/3 of all SMTP servers on the internet according to a 2019 scan.
So it’s the best MTA ever to exist, but what about MDA? Well, that was the whole point. Compose well crafted components together to build a system. You especially don’t run part of your mailserver’s web interface in kernel space because, well i’m not sure why IIS/Exchange does that :-)
So Postfix does about 1/10th of what Exchange does, and is secure. Very well, do one thing and do it well.
You talk about composing it with other stuff to create a system, but fail to mention if that system will still be more secure than Exchange. Even if each component of the system is individually very secure, that still doesn't tell you much about the security of the system. It's extremely easy to piece together two secure components and obtain 0 security.
Edit: accidentally said 'not secure' instead of 'secure' in first statement, completely changing the meaning. Corrected in-place.
Except this bug is an ssrf in the exchange web interface, so the MTA is equivalently safe to postfix. You could compose exchanges MTA with another MDA and get exactly the same security posture. Except with exchange, which is actually a good MTA.
How is it worse now? It looks to me that it's better now since SAAS companies today just patch their products on their end, and even this situation is better than needing physical media as in the past if the patch is too big.
