The One-Click Mitigation Tool was designed to help customers without any dedicated security or IT teams to navigate in fixing their vulnerable exchange services.
This is specifically the case for them to be able to apply emergency patches to their on-premise Exchange servers against the ProxyLogon Vulnerabilities.
The tool was released on Monday and designed to mitigate the threat by four actively-exploited vulnerabilities that have been causing havoc for organizations globally.
The emergency features and fixes for the critical vulnerabilities were released on March the 2nd; however, the company estimates that 82.000 internet servers are still unpatched and remain vulnerable to attack.
Prior to this, the company issued a script on GitHub that administrators could easily run to see if their servers contained compromised indicators linked to the vulnerabilities. These are known as IOCs. Microsoft even issued out security updates for the out-of-support version of the Exchange servers just in case.
After working with clients and partners, Microsoft claims that there is a need for a single, simple, easy-to-use automated solution that needs to easily meet the requirements and needs of customers through the usage of both current and out-of-support versions of the Exchange Server.
This tool ensures customers that might not have security or IT staff available get the help they need, and so far, it has been tested on:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Keep in mind that the tool is not an alternative to patching. However, it should provide a certain level of mitigation in terms of risks associated with the exploit until the patch is fully applied. The patch should be applied as quickly as possible.
Moving back, it can be run on existing Exchange servers. It even includes the Microsoft Safety Scanner and a URL rewrite mitigation for CVE-2021-26855, which can potentially lead to remote code execution (RCE) attacks if exploited.
— Catalin Cimpanu (@campuscodi) March 16, 2021
This resulted from the fact that the team at Microsoft realized there was a clear need for this. It’s supposed to serve as interim mitigation for users who are not familiar with standard patch and update procedures.
By downloading and running this tool, including Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This is what Microsoft is currently claiming, and hopefully, they are right.
The users who want to take advantage just need to download it and run it on their Exchange servers. People who are already running the Microsoft Safety Scanner need to continue doing so to assist with further mitigations.
Keep in mind that currently, it is only effective against attacks as well as exploits that are seen to date and is not guaranteed to fix the attacks that can emerge in the future. It should only be used as a temporary fix until full updates are applied.
What happens if you don’t patch? Well, some Exchange servers out there that have the unpatched ProxyLagon flaw are targeted by DearCry ransomware that some security companies describe as unsophisticated.