Microsoft’s monthly Patch Tuesday release for April includes fixes for a myriad of vulnerabilities, including four in Exchange Server discovered by the U.S. National Security Agency.
According to the software giant’s Security Response Center, the updates include over 100 vulnerabilities that fix things ranging from Exchange Server vulnerabilities to flaws in Microsoft Office products, Microsoft Edge and Azure.
“Recent events have shown, security hygiene and patch management are more important than ever as the industry works to protect from both sophisticated and common cybercriminal activity,” the company said in a blog post on the updates.
Now that the vulnerabilities – many of which classified as critical – are publicly disclosed, customers need to update immediately as attackers will shift their efforts to exploit these recently disclosed flaws before organizations and users can apply the necessary updates.
According to Bleeping Computer, five are zero-day vulnerabilities, and 19 are classified as Critical and 89 are classified as Important.
According to Microsoft, the four new Exchange Server vulnerabilities discovered by the NSA are remote code execution flaws that were assigned a CVSS score of 9.8.
The company says it has not seen the vulnerabilities exploited against its customers, but given “recent adversary focus on Exchange,” customers should install the updates immediately.
Customers using Exchange Online are already protected and do not need to take any action, Microsoft says.
Indeed, attacks on Exchange Server have been a focus on cyber actors of late, including by a nation-state hacking group in China that Microsoft calls Hafnium. The company issued emergency patches early last month to patch four zero-day vulnerabilities that were being exploited to steal information from targeted victims.
Once those vulnerabilities were disclosed, other hacking groups began to exploit them and establish a presence on customer networks before organizations could apply the patches.
For more information on the updates and disclosed vulnerabilities, visit Microsoft’s Security Update Guide.