Due to the critical nature of recently issued Microsoft Exchange security updates, admins need to know that the updates may have installation issues on servers where User Account Control (UAC) is enabled.
Microsoft has added these warnings to all Exchange security updates released throughout the last few years.
Therefore, it was not surprising when we also saw it added to the support document for the Exchange Server 2019, 2016, and 2013 zero-day security updates released Tuesday.
Researchers and Microsoft employees have also been tweeting warnings to users to make sure the patches are actually being deployed on these problematic servers, given that some Exchange admins may not know about this known issue.
Install as an administrator to patch bugs correctly
The known issue occurs because some files are not updated when installing the security updates manually by double-clicking the MSP installers as a normal user.
Microsoft says that the installer will not display any errors or messages to let you know that the Exchange security updates have not been installed correctly.
The only indication that something might be wrong is that Outlook on the web and the Exchange Control Panel (ECP) might suddenly stop working.
“This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services,” Microsoft explains.
To work around this known issue, Microsoft recommends installing the security updates as an administrator, from the command-line:
Select Start, and type cmd.
In the results, right-click Command Prompt, and then select Run as administrator.
If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
Type the full path of the .msp file, and then press Enter.
Microsoft adds that the known issue would not occur if the Exchange Server security updates are installed through the Windows Update service.
The company also says that the Exchange services will be automatically restarted after applying the updates correctly.
Actively exploited Exchange vulnerabilities
The zero-day pre-auth RCE vulnerabilities patched Tuesday (two of them now dubbed ProxyLogon by the researchers who found them) are being exploited in ongoing attacks coordinated by multiple state-sponsored hacking groups.
Cybersecurity firm Huntress found web shells deployed on compromised Exchange servers while responding to these ongoing attacks, web shells that would provide the attackers with access to the servers even after they’re patched.
DHS-CISA said on Thursday that admins should investigate for signs of Microsoft Exchange Servers compromise going back to at least September 1, 2020.
Since they are under active exploitation, it is critical to check if they’ve installed correctly and adequately patched the security bugs.
Before updating your Microsoft Exchange servers, you will have to ensure that you’ve deployed a supported Cumulative Update (CU) and Update Rollup (RU) beforehand.
More information on installing these patches is available in this article published by the Microsoft Exchange Team.