Redmond (dpa) - Microsoft has again to plug security gaps in its Exchange Server e-mail software with an update.

The software group released updates for versions from 2013, 2016 and 2019 on Tuesday.

They were also affected by vulnerabilities that Microsoft had already closed with an update in March.

The reference to two of the four new problems came from the US secret service NSA.

We do not know of any malware that has already exploited the vulnerabilities, explained Microsoft.

Nevertheless, the company recommended installing the updates immediately.


The White House ordered all US government agencies to update their email servers immediately.

Vice security advisor Anne Neuberger emphasized that the US government had reported the vulnerability to Microsoft because of its responsibility.

Secret services are specifically looking for security holes in order to exploit them.

In the US government apparatus there is a process in which it is weighed whether a vulnerability could become too dangerous for the general public if an intelligence agency kept it to itself.

The NSA is responsible for electronic espionage abroad.

In 2017, a security gap discovered by the secret service was exploited by hackers to infect computers on a large scale with WannaCry blackmail software.

Such programs encrypt the hard drive and charge a fee to release it.

At that time, among other things, British hospitals and display boards of Deutsche Bahn were affected by WannaCry.

The NSA came under criticism for failing to close the security gap.


According to estimates by IT security experts, the Exchange vulnerabilities that became known in March infected tens of thousands of e-mail servers worldwide.

The attackers partially took advantage of the fact that the updates had to be installed manually - and not all Exchange customers reacted quickly.

According to Microsoft's assessment, the four security holes from the March update were initially exploited by Chinese hackers.

Various other attackers were later added.

In the event of a successful attack via the vulnerabilities, it was possible to access data from the e-mail system.

In the meantime, the US Federal Police, the FBI, removed malware from "hundreds of computers" in the US, which were infected with the help of the security holes that became known in March.

Some operators of Exchange servers were not able to delete the backdoors set up by attackers in January and February, the US Department of Justice said.


Only servers that companies operate themselves are affected by the Exchange vulnerabilities.

The online versions of the Exchange services were already protected.

In the large package of security updates, Microsoft closed more than 100 vulnerabilities on Tuesday, including in the Windows operating system, its Edge web browser and the Office office programs.

© dpa-infocom, dpa: 210414-99-193951 / 2