Called Jasbug, it was first reported to Microsoft by JAS Global Advisors and simMachines back in January 2014, and the company has been since working on the bug. Microsoft's TechNet blog details the MS15-011 and MS15-014 patches.
The blog writes, "Today we are releasing MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks. The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product. MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines. These two updates are important improvements that will help safeguard your domain network."
Notably, the "critical" bug was reported to be a design problem in the core components of Microsoft's Windows operating system rather than an implementation problem. JAS Global Advisors in its factsheet explains, "The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed."
The Microsoft Technet blog details the vulnerability, and explains how it could have been used.
This is an example of a 'coffee shop' attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.
- In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat .
- On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim's machine.
- The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.100 is now routed through to the attacker's machine.
- When the victim's machine next requests the file, the attacker's machine will return the malicious version of Login.bat.
This scenario also illustrates that this attack cannot be used broadly across the Internet - an attacker need to target a specific system or group of systems that request files with this unique UNC.
According to JAS Global Advisors, the vulnerability was remotely exploitable and could grant an attacker administrator level permissions on the target machine or device. "Roaming machines - domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) - are at heightened risk," it added.
Aside from issuing the MS15-011 and MS15-014 patches, Microsoft is also guiding network administrators on how to protect domains from intrusions. Microsoft added it would not be issuing a fix for the vulnerability in Windows Server 2003, a still widely used operating system.
Microsoft alongside also released other patches for bugs namely MS15-009 (which was also rated as "critical" by Microsoft) and was a security update for Internet Explorer. The security updateresolved one publicly disclosed and 40 privately reported vulnerabilities in Microsoft's Internet Explorer browser.
Microsoft has been lately busy fixing and releasing patches for various bugs reported by Google "publicly" under its Project Zero security initiative. The Redmond giant last month criticised Google's decision to publicly disclose vulnerability in Windows 8.1. Despite of criticism from Microsoft, Google in mid-January again went ahead and disclosed two more bugs of Windows 7 and Windows 8.1 to public as per its Project Zero policy.
Last year, Microsoft issued an emergency patch for a dangerous flaw that existed in Windows for nearly two decades. The vulnerability, disclosed by IBM security researchers, was in every Windows operating system since 1995 and could allow a hacker to take control of computers after luring Internet Explorer browser users to booby-trapped Internet pages.