With a bundle of updates spread across nine bulletins, yesterday's Microsoft Patch Tuesday had the usual mix of critical and important vulnerabilities addressed. But on fix in particular stood out from the normal stock, as Microsoft rolled out an architectural revamp for JASBUG, a critical vulnerability that puts organizations using Active Directory at a big risk for remote exploitation that could put tens of millions of machines at risk of privilege escalation if left unpatched. The vulnerability itself is a root-level problem impacting core parts of Windows, which required serious engineering revamps from Microsoft that ultimately were a year in the making.
Put together with two other critical vulnerabilities fixed yesterday—one a cumulative update for Internet Explorer and the other problem in Kernel-Mode Driver —the update has some industry experts urging organizations to consider speeding up their update windows. This urgency highlights the difficulties some organizations will face now that Microsoft has ditched its Advance Notification Service.
"Now in month two of no advance notification from Microsoft and the change up in the exploitability index, it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," says Russ Ernst, director of product management for Lumension. "It’s important IT know their environments well and weigh the updates according to severity and attack likelihood. Unfortunately, the 3 critical bulletins are nasty so it’s important to pay close attention."
As organizations sped to fix the issues in this round of fixes, they've not been met by smooth waters. According to early reports yesterday from SANS Internet Storm Center, there are a number of organizations who have been experiencing deployment problems, particularly around a patch for Visual Studio.
For its part, JASBUG is a vulnerability in group policy that "could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network," according to Microsoft's bulletin on the flaw. The vulnerability is a design flaw in the operating system, hence the extended time necessary to address it. Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.
"Many – if not most – information security problems have roots in identification and authentication subtleties," he wrote in a blog about the bug. "When software designers, implementers, and/or users don’t get identification and authentication right, things usually go awry.
According to Johannes Ullrich of SANS ISC, this "is a 'must apply' patch for any system traveling and connecting to untrusted networks."
Meanwhile, one of the other critical bulletins is for another flaw that could be used to commit remote code execution on most Windows versions via Kernel-Mode Driver. And the third critical problem was a big one for Internet Explorer, addressing over 41 CVEs. Included in this patch is the fix for ASLR bypass highlighted by iSIGHT research yesterday in its discovery announcement about Chinese-led watering hole attacks against Fortune.com.
"Workstations that frequently browse the internet are most at risk from these vulnerabilities. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws," says Ryan Krause, vulnerability audit development manager for BeyondTrust. "Microsoft’s EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that this update will also provide IE 11 users with additional security measures by disabling SSL 3.0 fallback attempts by default."