Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/11/2015
04:51 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Microsoft Fix For Critical Active Directory Bug A Year In The Making

This critical Active Directory vuln along with two other particularly 'nasty' critical flaws have experts pushing organizations to pick up patching pace.

With a bundle of updates spread across nine bulletins, yesterday's Microsoft Patch Tuesday had the usual mix of critical and important vulnerabilities addressed. But on fix in particular stood out from the normal stock, as Microsoft rolled out an architectural revamp for JASBUG, a critical vulnerability that puts organizations using Active Directory at a big risk for remote exploitation that could put tens of millions of machines at risk of privilege escalation if left unpatched. The vulnerability itself is a root-level problem impacting core parts of Windows, which required serious engineering revamps from Microsoft that ultimately were a year in the making.

Put together with two other critical vulnerabilities fixed yesterday—one a cumulative update for Internet Explorer and the other problem in Kernel-Mode Driver —the update has some industry experts urging organizations to consider speeding up their update windows. This urgency highlights the difficulties some organizations will face now that Microsoft has ditched its Advance Notification Service.

"Now in month two of no advance notification from Microsoft and the change up in the exploitability index, it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," says Russ Ernst, director of product management for Lumension. "It’s important IT know their environments well and weigh the updates according to severity and attack likelihood. Unfortunately, the 3 critical bulletins are nasty so it’s important to pay close attention."

As organizations sped to fix the issues in this round of fixes, they've not been met by smooth waters. According to early reports yesterday from SANS Internet Storm Center, there are a number of organizations who have been experiencing deployment problems, particularly around a patch for Visual Studio.

For its part, JASBUG is a vulnerability in group policy that "could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network," according to Microsoft's bulletin on the flaw. The vulnerability is a design flaw in the operating system, hence the extended time necessary to address it. Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.

"Many – if not most – information security problems have roots in identification and authentication subtleties," he wrote in a blog about the bug. "When software designers, implementers, and/or users don’t get identification and authentication right, things usually go awry.

According to Johannes Ullrich of SANS ISC, this "is a 'must apply' patch for any system traveling and connecting to untrusted networks."

Meanwhile, one of the other critical bulletins is for another flaw that could be used to commit remote code execution on most Windows versions via Kernel-Mode Driver. And the third critical problem was a big one for Internet Explorer, addressing over 41 CVEs. Included in this patch is the fix for ASLR bypass highlighted by iSIGHT research yesterday in its discovery announcement about Chinese-led watering hole attacks against Fortune.com.

"Workstations that frequently browse the internet are most at risk from these vulnerabilities. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws," says Ryan Krause, vulnerability audit development manager for BeyondTrust. "Microsoft’s EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that this update will also provide IE 11 users with additional security measures by disabling SSL 3.0 fallback attempts by default."

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:22:53 AM
If it functions, don't patch.....WRONG!
I feel that many organizations exalt functionality of their applications above all else. As many times these applications are what bring in the revenue. Fear of breaking this dynamic halts many discussions of patching. However, if you have an efficient change management and patching process, then you will find patching to be effective, not only a security aspect but from a functionality perspective. Properly testing apps and patches before pushing into production will ensure that there is no downtime for apps, frameworks, and plug-ins during business hours and will decrease the overhead for letting potential updates stack.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-7505
PUBLISHED: 2020-02-18
Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LZW stream in a GIF file.
CVE-2015-7567
PUBLISHED: 2020-02-18
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVE-2012-0718
PUBLISHED: 2020-02-18
IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.
CVE-2019-10791
PUBLISHED: 2020-02-18
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2009-5146
PUBLISHED: 2020-02-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.