Security Market Segment LS
Wednesday, 11 February 2015 07:48

Critical ‘JASBUG’ vulnerability in Windows clients and servers patched Featured


Domain-joined Windows clients (Vista, 7, 8, 8.1 and RT) and servers (2003 to 2012) had a root-level, remotely exploitable vulnerability discovered in January 2014 but is now patched. 

Professional services firm JAS Global Advisors and another firm called simMachines had been engaged by ICAAN, the Internet Corporation for Assigned Names and Numbers, ‘to research potential technical issues relating to the rollout of new Generic Top Level Domains (New gTLDs) on the Internet.’

It was during this research that JAS and simMachines ‘uncovered a vulnerability not directly related to ICANN’s New gTLD Program nor to new TLDs in general.’

The vulnerability, dubbed ‘JASBUG’ turned out to be very serious, with Microsoft notified in January 2014 and classifying the vuln as ‘Critical’, allowing ‘code execution without user interaction’, and which is the most serious rating Microsoft has for reported vulnerabilities.

In a fact sheet, JAS Global Advisors says 'The vulnerability impacts core components of the Microsoft Windows Operating System. All domain-joined Windows Clients and Servers (i.e. Members of a corporate Active Directory) may be at risk.

'The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.'

If left untreated, 10s of millions of PCs, kiosks and other devices can be used to grant attackers administrator-level privileges.

JAS Global’s Jeff Schmidt found the bug and worked with Microsoft for a year to create the patch released today, with more information from a Microsoft TechNet article available here

In addition, Microsoft support documentation for IT professionals administering Microsoft environments is available here, with the urging that the information should be immediately reviewed.

We’re told that ‘As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.’

JASBUG was first reported to Microsoft in January 2014, with Microsoft reportedly immediately understanding the seriousness of the vulnerability and beginning to formulate its response.

In answer to the question ‘why did it take so long to fix?’, the JAS Global fact sheet states:

‘The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle.

‘Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem.

‘The fix required Microsoft to re-engineer core components of the operating system and to add several new features.

‘Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimise the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.

‘Additionally, given the nature of the vulnerability, few stopgap mitigation techniques are available. Thus, it was critical to maintain confidentiality such that Microsoft had the time to “fix it right” as opposed to being forced to “fix it fast.” Rushed interim fixes are risky, unreliable, and potentially ineffective.

‘This is an instance of responsible vulnerability disclosure at its finest. Because of the combined efforts of JAS, simMachines, ICANN, and Microsoft, the Internet is a safer place.’

Microsoft’s security bulletin states: ‘This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.’

Although Windows Server 2003 is one of the affected products, Microsoft at its TechNet document states:

‘Windows Server 2003 is listed as an affected product; why is Microsoft not issuing an update for it?’

‘The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component.

'The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.’

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News