Professional services firm JAS Global Advisors and another firm called simMachines had been engaged by ICAAN, the Internet Corporation for Assigned Names and Numbers, ‘to research potential technical issues relating to the rollout of new Generic Top Level Domains (New gTLDs) on the Internet.’
It was during this research that JAS and simMachines ‘uncovered a vulnerability not directly related to ICANN’s New gTLD Program nor to new TLDs in general.’
The vulnerability, dubbed ‘JASBUG’ turned out to be very serious, with Microsoft notified in January 2014 and classifying the vuln as ‘Critical’, allowing ‘code execution without user interaction’, and which is the most serious rating Microsoft has for reported vulnerabilities.
In a fact sheet, JAS Global Advisors says 'The vulnerability impacts core components of the Microsoft Windows Operating System. All domain-joined Windows Clients and Servers (i.e. Members of a corporate Active Directory) may be at risk.
'The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.'
If left untreated, 10s of millions of PCs, kiosks and other devices can be used to grant attackers administrator-level privileges.
JAS Global’s Jeff Schmidt found the bug and worked with Microsoft for a year to create the patch released today, with more information from a Microsoft TechNet article available here.
In addition, Microsoft support documentation for IT professionals administering Microsoft environments is available here, with the urging that the information should be immediately reviewed.
We’re told that ‘As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.’
JASBUG was first reported to Microsoft in January 2014, with Microsoft reportedly immediately understanding the seriousness of the vulnerability and beginning to formulate its response.
In answer to the question ‘why did it take so long to fix?’, the JAS Global fact sheet states:
‘The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle.
‘Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem.
‘The fix required Microsoft to re-engineer core components of the operating system and to add several new features.
‘Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimise the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.
‘Additionally, given the nature of the vulnerability, few stopgap mitigation techniques are available. Thus, it was critical to maintain confidentiality such that Microsoft had the time to “fix it right” as opposed to being forced to “fix it fast.” Rushed interim fixes are risky, unreliable, and potentially ineffective.
‘This is an instance of responsible vulnerability disclosure at its finest. Because of the combined efforts of JAS, simMachines, ICANN, and Microsoft, the Internet is a safer place.’
Microsoft’s security bulletin states: ‘This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.’
Although Windows Server 2003 is one of the affected products, Microsoft at its TechNet document states:
‘Windows Server 2003 is listed as an affected product; why is Microsoft not issuing an update for it?’
‘The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component.
'The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.’