Microsoft has paused the November 2024 Change safety updates launched throughout this month’s Patch Tuesday due to electronic mail supply points on servers utilizing customized mail circulate guidelines.
The corporate introduced it pulled the updates from Home windows Replace and the Obtain Heart following widespread reviews from admins saying that electronic mail had stopped flowing altogether.
This challenge impacts prospects utilizing transport guidelines (also called mail circulate guidelines) or information loss safety (DLP) guidelines, which can cease periodically after putting in the November Change Server 2016 and Change Server 2019 safety updates.
Whereas mail circulate guidelines filter and redirect emails in transit (simply as Outlook inbox guidelines for emails which have already landed within the consumer’s mailbox), DLP guidelines forestall delicate info from being by accident shared or leaked exterior a corporation.
“We’re persevering with the investigation and are engaged on a everlasting repair to handle this challenge. We are going to launch it when prepared. We’ve got additionally paused the rollout of November 2024 SU to Home windows / Microsoft Replace,” Redmond mentioned.
Microsoft additionally suggested admins who see mail circulate points to uninstall the buggy November safety updates till re-released. Nonetheless, those that do not use transport or DLP guidelines and haven’t run into this challenge can proceed utilizing their up-to-date Change servers.
Warnings on emails abusing spoofing flaw
This week, Microsoft additionally disclosed a high-severity Change Server vulnerability (CVE-2024-49040) that may let attackers forge professional senders on incoming emails to make malicious messages far more efficient.
“The vulnerability is attributable to the present implementation of the P2 FROM header verification, which occurs in transport,” Microsoft defined, warning that the safety flaw could possibly be utilized in spoofing assaults concentrating on Change servers.
“The present implementation permits some non-RFC 5322 compliant P2 FROM headers to cross which may result in the e-mail shopper (for instance, Microsoft Outlook) displaying a cast sender as if it had been professional.”
Whereas Microsoft has not patched the vulnerability and can nonetheless settle for emails with these malformed headers, Redmond says servers will now detect and prepend a warning to malicious emails after putting in the Change Server November 2024 Safety Replace (SU).
Microsoft mounted 4 zero-days in the course of the November 2024 Patch Tuesday fixes, two actively exploited in assaults and three publicly disclosed.
It additionally addressed 4 crucial vulnerabilities, together with two distant code execution flaws and two elevations of privileges bugs.