MicrosoftNino_Bilic just so i'm clearer on the choices here
--> installing the March 2024 SU will address a RCE vis a CVSS score of 8.8 [CVE-2024-26198], but will break attachment functionality for OWA clients on environments with Download Domains configured.....and the hope is some future fix (at date TBD) will restore the attachment functionality for OWA clients?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26198
--> disabling Download Domains allows OWA attachments to still work correctly even with March 2024 SU installed, but leaves the systems exposed to an older, but different RCE with a CVSS score of 5.4 [CVE-2021-1730]
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730
to me it seems like if full OWA functionality is important to an environment, the compromise is to install the March 2024 SU (fixing the higher scored CVE), but disable Download Domains until there is a later fix to restore functionality. that obviously opens the door to the apparently lower scored [CVE-2021-1730] but i can't see that its practical for OWA users to not have access to attachments.
am i thinking about this correctly?
