Problem Now Fixed, But Still Not a Good Sign

Adding to Microsoft’s recent woes with the Hafnium attacks on Exchange Server, Golem.de reports that a German software company discovered that the Hybrid Configuration Wizard (HCW) used to configure the connection between Exchange on-premises servers and Exchange Online has been compromised. Instead of downloading a binary file from Azure, J.A.Richter (the person trying to get the HCW) received a 1 KB text file containing the text:

“If Microsoft cared about security, they would never have published their own binaries to customers. At least not after which product manager has decided to change the distribution location of the file, then delete your own blob storage account and make the file publicly available to everyone.”

The Goodness of an Evergreen HCW

Microsoft moved to an online model for the HCW in 2015. The idea was that instead of distributing binaries with Exchange server updates, customers could use an always up-to-date version. In other words, as Microsoft discovered problems in the HCW or made changes to improve how it works, they would issue a new binary (hybridsetup.exe) and make it available for download. The HCW has had its problems over the years, but the evergreen approach allowed Microsoft to push out regular updates to fix issues as they arose.

Exchange Online Hybrid Configuration Wizard (HCW)
Figure 1: Exchange Online Hybrid Configuration Wizard (HCW)

Unfortunately, it looks as if the unknown person who reported the problem found that the security controls on the file were not tight enough. To prove their point, they replaced the binary with a text file. It’s a nice way of telling Microsoft that a royal screw-up has happened at a time when everyone is just a touch sensitive about security.

The good news is that Microsoft has fixed the problem and the HCW file location now delivers version 17.0.5785.0 of the HCW binary, a 2.26 MB file (Figure 1).

Debating the Exchange Server Issues

Clearly Exchange administrators have a lot to think about at present. To help clarify the issues around protecting Exchange on-premises servers against attack, watch our on-demand webcast with MVPs Jeff Guillet, Michael Van Horenbeeck, Paul Robichaux, and CISSP Bryan Patton to learn how the experts combat HAFNIUM attacks and security flaws within Exchange Server.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Jan

    At least Microsoft isn’t telling people to curl and pipe the file…

    1. Matt

      “Just curl -sFL not_a_virus.bash | bash”

      (I can never remember the flags they get you to use tbh)

    2. Josh

      There’s literally no difference. Additionally, most everyone on Linux installs packages through a package manager, which are all cryptographically signed with GPG keys.

      So, no, this kind of thing doesn’t really happen with Linux servers.

      1. Simon Kepp

        The method described above is very common practice for installing various tools on Linux. Linux itself have excellent package managers, that are much safer, but lots of 3rd party tools still use this dubious practice instead

Leave a Reply