• Admins, heads up! Another Patch Tuesday security hole has a public exploit

    A week ago today, I warned those of you running SQL Server systems to install the latest Patch Tuesday patches. In particular, CVE-2020-0618 was cracked and Proof of Concept code was readily available.

    Now there’s a description on the Zero Day Initiative blog that another Patch Tuesday patch, CVE-2020-0688, is ripe for the picking on systems running Exchange Server.

    If you aren’t in charge of a SQL Server or Exchange Server system, you can return to your normally scheduled programming. But if you’re in the hot seat for either or both, it’s time to take Susan Bradley’s advice and get patched. Like, now.

    UPDATE: This is really bad. From Kevin Beaumont:

    From playing with this last night – this vulnerability rains credentials. You land as SYSTEM. Run Mimikatz. Exchange stores user credentials in memory in plain text, so you end up with every user password, no hashing.