COMPANIES & STRATEGIES - TECHNOLOGY

Cybersecurity

Security centre issues alert over Microsoft Exchange



Six months after Microsoft acknowledged the first vulnerabilities in Microsoft Exchange Server, 10% of Luxembourg servers have not been "fixed", a multi-level risk for companies that have not followed the recommendations. (Photo: Shutterstock)

Six months after Microsoft acknowledged the first vulnerabilities in Microsoft Exchange Server, 10% of Luxembourg servers have not been "fixed", a multi-level risk for companies that have not followed the recommendations. (Photo: Shutterstock)

Six months after Microsoft announced vulnerabilities in the Microsoft Exchange Server software, 10% of the servers hosted in Luxembourg have not been fixed--a situation that poses several risks to the companies and organisations that use them, warns Circl.

One in ten  of the servers running Microsoft Exchange Server in Luxembourg have not been “disinfected” six months after the first international, then national and repeated alerts by the Computer Incident Response Center Luxembourg (Circl).

On Tuesday, Circl issued a rare public statement to all professional chambers, federations and associations, saying “patching” is no longer enough since potential attackers have had ample opportunity to infect the entire infrastructure of a company or organisation. A clean back-up must be reinstalled or Circl must be contacted directly by email or telephone.

“Microsoft has been leading us on for week,” says Alexandre Dulaunoy, implying that they are minimising the risks linked to the four security flaws discovered before spring.

What is the risk for a company? For example, as has already happened in Luxembourg, receiving an email from one of your clients or a colleague, which contains a link infected with ransomware. “There is a risk for the infrastructure, a risk for the operation and above all a big reputational risk,” says the expert.

In March, Circl had listed 486 exchange servers. “These 10% represent a significant proportion, whether they are for the benefit of an architect’s office, a law firm, SMEs or larger companies.”

Between those who are unaware, those whose IT departments are out of date and those who outsource to professionals in no hurry to remedy the problem, the risk remains high.

Circl issued its first warnings on 11 March. Since then, Microsoft has admitted to more than 55 vulnerabilities, the latest on 9 November.

This story was first published in French on Paperjam. It has been translated and edited for Delano.