Four high-severity Microsoft Exchange flaws reported by Trend Micro's Zero Day Initiative were noted by Microsoft to have been addressed or not need immediate servicing as required authentication would significantly reduce their odds of being exploited, SecurityWeek reports.
Microsoft has already remediated the data deserialization issue within the ChainedSerializationBinder class that could be leveraged to facilitate remote code execution in security updates issued in August. Meanwhile, the remaining server-side request forgery bugs, which could be leveraged to enable information leaks, were noted by Microsoft to be only exploitable through prior email credential access.
"We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we're committed to taking the necessary steps to help protect customers. We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate," Microsoft said.
Malware-free intrusions have become the leading cybersecurity threat against small- to medium-sized businesses, accounting for 56% of all cyber incidents during the third quarter, SiliconAngle reports.