Security Market Segment LS
Wednesday, 11 February 2015 07:48

Critical ‘JASBUG’ vulnerability in Windows clients and servers patched Featured


Domain-joined Windows clients (Vista, 7, 8, 8.1 and RT) and servers (2003 to 2012) had a root-level, remotely exploitable vulnerability discovered in January 2014 but is now patched. 

Professional services firm JAS Global Advisors and another firm called simMachines had been engaged by ICAAN, the Internet Corporation for Assigned Names and Numbers, ‘to research potential technical issues relating to the rollout of new Generic Top Level Domains (New gTLDs) on the Internet.’

It was during this research that JAS and simMachines ‘uncovered a vulnerability not directly related to ICANN’s New gTLD Program nor to new TLDs in general.’

The vulnerability, dubbed ‘JASBUG’ turned out to be very serious, with Microsoft notified in January 2014 and classifying the vuln as ‘Critical’, allowing ‘code execution without user interaction’, and which is the most serious rating Microsoft has for reported vulnerabilities.

In a fact sheet, JAS Global Advisors says 'The vulnerability impacts core components of the Microsoft Windows Operating System. All domain-joined Windows Clients and Servers (i.e. Members of a corporate Active Directory) may be at risk.

'The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.'

If left untreated, 10s of millions of PCs, kiosks and other devices can be used to grant attackers administrator-level privileges.

JAS Global’s Jeff Schmidt found the bug and worked with Microsoft for a year to create the patch released today, with more information from a Microsoft TechNet article available here

In addition, Microsoft support documentation for IT professionals administering Microsoft environments is available here, with the urging that the information should be immediately reviewed.

We’re told that ‘As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.’

JASBUG was first reported to Microsoft in January 2014, with Microsoft reportedly immediately understanding the seriousness of the vulnerability and beginning to formulate its response.

In answer to the question ‘why did it take so long to fix?’, the JAS Global fact sheet states:

‘The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle.

‘Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem.

‘The fix required Microsoft to re-engineer core components of the operating system and to add several new features.

‘Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimise the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.

‘Additionally, given the nature of the vulnerability, few stopgap mitigation techniques are available. Thus, it was critical to maintain confidentiality such that Microsoft had the time to “fix it right” as opposed to being forced to “fix it fast.” Rushed interim fixes are risky, unreliable, and potentially ineffective.

‘This is an instance of responsible vulnerability disclosure at its finest. Because of the combined efforts of JAS, simMachines, ICANN, and Microsoft, the Internet is a safer place.’

Microsoft’s security bulletin states: ‘This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.’

Although Windows Server 2003 is one of the affected products, Microsoft at its TechNet document states:

‘Windows Server 2003 is listed as an affected product; why is Microsoft not issuing an update for it?’

‘The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component.

'The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.’


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments