But when you import the module directly into scripts, no automatic update check is performed.You will continue using out of date and potentially insecure bits when running the Exchange Online Remote Power Shell module.And when the vulnerability is caused by something as fundamental as certificate validation, it should obviously be fixed.Which it eventually was, after Patrick Gray (the Risky Biz podcast host) helped the individual escalate their report through some different channels.Instead I want to focus on the implications for customers who use the Exchange Online Remote Power Shell Module.The first Power Shell-based administration for Exchange Online in Office 365 involved connecting to EXO using Power Shell remoting.Of course, you don't know how important it is to accept the update, because there's no security notice published and nothing in the update dialog to indicate the severity of any vulnerability that the update fixes.If you're in a hurry to complete a task, skipping the update would be a natural reaction.
Yes, the preview URL still works as a convenient way to download the module, but the information page on Tech Net was recently updated to remove the note about EXOPS being in preview (apparently it has been out of preview for longer, but the page was only updated recently).
The EXOPS module is available today either by going to the preview URL (which still works, and downloads the installer), or by launching the installer from within the Exchange Online admin center in the Hybrid section.
The EXOPS installer connects to a Microsoft URL and downloads the bits to install the module on your local computer.
The security issue is basically a lack of proper certificate validation that leaves EXOPS vulnerable to man-in-the-middle (MITM) attacks.
An attacker could hijack an authentication token from the session, which would be valid for up to 10 minutes, and perform administration tasks with all the privileges of the authenticated user.
A desktop icon is created as well so that you can launch the EXOPS module in a Power Shell session.