Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/11/2015
04:51 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Microsoft Fix For Critical Active Directory Bug A Year In The Making

This critical Active Directory vuln along with two other particularly 'nasty' critical flaws have experts pushing organizations to pick up patching pace.

With a bundle of updates spread across nine bulletins, yesterday's Microsoft Patch Tuesday had the usual mix of critical and important vulnerabilities addressed. But on fix in particular stood out from the normal stock, as Microsoft rolled out an architectural revamp for JASBUG, a critical vulnerability that puts organizations using Active Directory at a big risk for remote exploitation that could put tens of millions of machines at risk of privilege escalation if left unpatched. The vulnerability itself is a root-level problem impacting core parts of Windows, which required serious engineering revamps from Microsoft that ultimately were a year in the making.

Put together with two other critical vulnerabilities fixed yesterday—one a cumulative update for Internet Explorer and the other problem in Kernel-Mode Driver —the update has some industry experts urging organizations to consider speeding up their update windows. This urgency highlights the difficulties some organizations will face now that Microsoft has ditched its Advance Notification Service.

"Now in month two of no advance notification from Microsoft and the change up in the exploitability index, it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," says Russ Ernst, director of product management for Lumension. "It’s important IT know their environments well and weigh the updates according to severity and attack likelihood. Unfortunately, the 3 critical bulletins are nasty so it’s important to pay close attention."

As organizations sped to fix the issues in this round of fixes, they've not been met by smooth waters. According to early reports yesterday from SANS Internet Storm Center, there are a number of organizations who have been experiencing deployment problems, particularly around a patch for Visual Studio.

For its part, JASBUG is a vulnerability in group policy that "could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network," according to Microsoft's bulletin on the flaw. The vulnerability is a design flaw in the operating system, hence the extended time necessary to address it. Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.

"Many – if not most – information security problems have roots in identification and authentication subtleties," he wrote in a blog about the bug. "When software designers, implementers, and/or users don’t get identification and authentication right, things usually go awry.

According to Johannes Ullrich of SANS ISC, this "is a 'must apply' patch for any system traveling and connecting to untrusted networks."

Meanwhile, one of the other critical bulletins is for another flaw that could be used to commit remote code execution on most Windows versions via Kernel-Mode Driver. And the third critical problem was a big one for Internet Explorer, addressing over 41 CVEs. Included in this patch is the fix for ASLR bypass highlighted by iSIGHT research yesterday in its discovery announcement about Chinese-led watering hole attacks against Fortune.com.

"Workstations that frequently browse the internet are most at risk from these vulnerabilities. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws," says Ryan Krause, vulnerability audit development manager for BeyondTrust. "Microsoft’s EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that this update will also provide IE 11 users with additional security measures by disabling SSL 3.0 fallback attempts by default."

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:22:53 AM
If it functions, don't patch.....WRONG!
I feel that many organizations exalt functionality of their applications above all else. As many times these applications are what bring in the revenue. Fear of breaking this dynamic halts many discussions of patching. However, if you have an efficient change management and patching process, then you will find patching to be effective, not only a security aspect but from a functionality perspective. Properly testing apps and patches before pushing into production will ensure that there is no downtime for apps, frameworks, and plug-ins during business hours and will decrease the overhead for letting potential updates stack.
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27155
PUBLISHED: 2020-10-22
An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.
CVE-2020-27195
PUBLISHED: 2020-10-22
HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6
CVE-2020-7020
PUBLISHED: 2020-10-22
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents ...
CVE-2020-26649
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
CVE-2020-26650
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php