Problem Now Fixed, But Still Not a Good Sign
Adding to Microsoft’s recent woes with the Hafnium attacks on Exchange Server, Golem.de reports that a German software company discovered that the Hybrid Configuration Wizard (HCW) used to configure the connection between Exchange on-premises servers and Exchange Online has been compromised. Instead of downloading a binary file from Azure, J.A.Richter (the person trying to get the HCW) received a 1 KB text file containing the text:
“If Microsoft cared about security, they would never have published their own binaries to customers. At least not after which product manager has decided to change the distribution location of the file, then delete your own blob storage account and make the file publicly available to everyone.”
The Goodness of an Evergreen HCW
Microsoft moved to an online model for the HCW in 2015. The idea was that instead of distributing binaries with Exchange server updates, customers could use an always up-to-date version. In other words, as Microsoft discovered problems in the HCW or made changes to improve how it works, they would issue a new binary (hybridsetup.exe) and make it available for download. The HCW has had its problems over the years, but the evergreen approach allowed Microsoft to push out regular updates to fix issues as they arose.
Unfortunately, it looks as if the unknown person who reported the problem found that the security controls on the file were not tight enough. To prove their point, they replaced the binary with a text file. It’s a nice way of telling Microsoft that a royal screw-up has happened at a time when everyone is just a touch sensitive about security.
The good news is that Microsoft has fixed the problem and the HCW file location now delivers version 17.0.5785.0 of the HCW binary, a 2.26 MB file (Figure 1).
Debating the Exchange Server Issues
Clearly Exchange administrators have a lot to think about at present. To help clarify the issues around protecting Exchange on-premises servers against attack, watch our on-demand webcast with MVPs Jeff Guillet, Michael Van Horenbeeck, Paul Robichaux, and CISSP Bryan Patton to learn how the experts combat HAFNIUM attacks and security flaws within Exchange Server.
At least Microsoft isn’t telling people to curl and pipe the file…
“Just curl -sFL not_a_virus.bash | bash”
(I can never remember the flags they get you to use tbh)
There’s literally no difference. Additionally, most everyone on Linux installs packages through a package manager, which are all cryptographically signed with GPG keys.
So, no, this kind of thing doesn’t really happen with Linux servers.
The method described above is very common practice for installing various tools on Linux. Linux itself have excellent package managers, that are much safer, but lots of 3rd party tools still use this dubious practice instead