A Flaw Microsoft Wouldn't Fix

Not the first or the last such flaw.

Much has been written about the problems with Microsoft Exchange in general and the Autodiscover design flaw in particular. At this point the only bit that is interesting is Microsoft's attitude toward fixing things. Or not fixing things, as the case may be. Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years.

In an effort make life easier for Exchange administrators, in 2007 Microsoft introduced Autodiscover, which would enable email clients (like Outlook) to automatically set up new PCs for end users. Sometime between 2007 and 2016, MS set it up to make it much easier; the protocol would just try everything, and a bunch of things it shouldn't try, considering it was sending Userid and Password around the net in plain text.

This flaw was pointed out to Microsoft as early a 2016 and was included in a 2017 Black Hat Asia talk, All your emails belong to us. (That is a 6 page PDF; you may or may not want to look at in on your phone.)

So, that was 5 years ago. Back to 2021...

Last week, security firm Guardicore offered its take on the problem with the Autodiscover protocol, explaining that the "back off" mechanism for resolving domain names makes it trivial to set up servers on Autodiscover TLDs to intercept hundreds of thousands of credential transmissions from systems that haven't been properly secured.

"What I found was that there were a bunch of email clients including Outlook that were more than happy to pass over their credentials to a web server within your domain tree and what Guardicore found was that in many cases it kept going up the tree to the TLD, meaning you were no longer just worrying about your own web server

"What could possibly go wrong?"

Microsoft's first response was to go all "We support responsible disclosure" because they apparently think that gets them off the hook for doing anything ever. 5 years is a long time to ignore a problem.

And of course there have been other problems with Exchange this year, problems that they seemed to ignore because they're Microsoft and only they get to determine what they work on. Well Microsoft, and the bad guys who hammer them so badly that they finally realize that they have to take action.

But then back in 2016 Microsoft decided that this wasn't a problem.

In any event, Microsoft acknowledged on August 11, 2016, that it had reproduced the issue in van Beek's report. Then on August 30, 2016, the Windows titan responded to van Beek by saying the report doesn't describe a genuine vulnerability:

And so they didn't fix it.

Just like with PrintNightmare, they don't want to make life hard, and so by making life easy (or trying to) for legitimate administrators, they make life impossible, by helping the bad guys. In this case it seems that their position is that their design wasn't bad; your implementation sucks. This is not their problem. Or it wasn't their problem until it blew up in their faces.

I think Steve Gibson of GRC said it best in episode 838 of Security Now. That episode is titled "autodiscover.fiasco" for good reason.

Given the evidence, we’re seeing that Microsoft has become a company that only responds to force. They must be forced to fix the things that are broken. “Responsible disclosure” is just a courtesy. It’s one that the industry might consider withdrawing if publishers do not honor their side of the implicit agreement to fix what’s been responsibly disclosed.

As I've said before, there will be no financial impacts to Microsoft for this botch-up. The terms and conditions you accepted when you purchased the software made that clear. So of course their attitude is "Meh, another security problem." How many organizations are going to drop Exchange, even given all of the problems that it has had in 2021?

And MS isn't the only company in this mode. I had a similar post, last Sunday, about how Apple is doing something very similar.