© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

Critical Updates – 2020 February

 Microsoft — CVE-2020-0688

tl;dr – Send or receive email and get RCE on Exchange Servers… yikes. All Exchange Servers installations in the world share a crypto-key.

This update resolves a flaw in Exchange Server versions 2010 to 2019 where just by sending or receiving a specially crafted email can cause the Exchange Server to execute malicious code. During install, the Exchange installation fails to create unique crypto-deserialization keys. While currently rated as Important, attackers will work on reverse-engineering the patch to identify and develop exploits. Any Exchange Servers created all share the same crypto key until patched.

Note: Unsupported End of Life old versions of the software may also be affected, even though those versions are not listed.