Home Business IT Security Critical ‘JASBUG’ vulnerability in Windows clients and servers patched
Critical ‘JASBUG’ vulnerability in Windows clients and servers patched Featured

Domain-joined Windows clients (Vista, 7, 8, 8.1 and RT) and servers (2003 to 2012) had a root-level, remotely exploitable vulnerability discovered in January 2014 but is now patched. 

Professional services firm JAS Global Advisors and another firm called simMachines had been engaged by ICAAN, the Internet Corporation for Assigned Names and Numbers, ‘to research potential technical issues relating to the rollout of new Generic Top Level Domains (New gTLDs) on the Internet.’

It was during this research that JAS and simMachines ‘uncovered a vulnerability not directly related to ICANN’s New gTLD Program nor to new TLDs in general.’

The vulnerability, dubbed ‘JASBUG’ turned out to be very serious, with Microsoft notified in January 2014 and classifying the vuln as ‘Critical’, allowing ‘code execution without user interaction’, and which is the most serious rating Microsoft has for reported vulnerabilities.

In a fact sheet, JAS Global Advisors says 'The vulnerability impacts core components of the Microsoft Windows Operating System. All domain-joined Windows Clients and Servers (i.e. Members of a corporate Active Directory) may be at risk.

'The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.'

If left untreated, 10s of millions of PCs, kiosks and other devices can be used to grant attackers administrator-level privileges.

JAS Global’s Jeff Schmidt found the bug and worked with Microsoft for a year to create the patch released today, with more information from a Microsoft TechNet article available here

In addition, Microsoft support documentation for IT professionals administering Microsoft environments is available here, with the urging that the information should be immediately reviewed.

We’re told that ‘As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.’

JASBUG was first reported to Microsoft in January 2014, with Microsoft reportedly immediately understanding the seriousness of the vulnerability and beginning to formulate its response.

In answer to the question ‘why did it take so long to fix?’, the JAS Global fact sheet states:

‘The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle.

‘Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem.

‘The fix required Microsoft to re-engineer core components of the operating system and to add several new features.

‘Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimise the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.

‘Additionally, given the nature of the vulnerability, few stopgap mitigation techniques are available. Thus, it was critical to maintain confidentiality such that Microsoft had the time to “fix it right” as opposed to being forced to “fix it fast.” Rushed interim fixes are risky, unreliable, and potentially ineffective.

‘This is an instance of responsible vulnerability disclosure at its finest. Because of the combined efforts of JAS, simMachines, ICANN, and Microsoft, the Internet is a safer place.’

Microsoft’s security bulletin states: ‘This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.’

Although Windows Server 2003 is one of the affected products, Microsoft at its TechNet document states:

‘Windows Server 2003 is listed as an affected product; why is Microsoft not issuing an update for it?’

‘The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component.

'The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.’

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

10 SIMPLE TIPS TO PROTECT YOUR ORGANISATION FROM RANSOMWARE

Ransomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.

Criminal ransomware revenues are projected to reach $11.5B by 2019.

With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.

DOWNLOAD NOW!

Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect