Microsoft fixes critical remotely exploitable Windows root-level design bug
In this month’s Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software.
Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device.
“The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained in the bulletin.
The good news is that the bug has not been publicly disclosed, and there is no indication that it had been publicly used to attack customers. The bad news is that there are no mitigating factors or workarounds, so users and admins will have to deploy the patch and hope it won’t cause trouble with their Microsoft environments.
“The vulnerability impacts core components of the Microsoft Windows Operating System. All computers and devices that are members of a corporate Active Directory may be at risk,” JAS Global Advisors, the discoverers of the bug, explained.
“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”
All supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 are affected by the bug. Updates are not available for Windows XP, Windows Server 2003, or Windows 2000.
The vulnerability was unearthed by JAS Global Advisors founder Jeff Schmidt in January 2014, while he was working an engagement with ICANN. He immediately notified Microsoft about it, and worked with the company on the patch.
“The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle,” JAS Global Advisors explained.
“Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem. The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.
“Additionally, given the nature of the vulnerability, few stopgap mitigation techniques are available. Thus, it was critical to maintain confidentiality such that Microsoft had the time to ‘fix it right’ as opposed to being forced to ‘fix it fast.'”