Patch now: Design flaw in Windows security allows hackers to own corporate laptops, PCs

Nine fixes to install, three critical and one super bad


Another month, another Patch Tuesday, but this release has a special sting in the tail: a flaw in the fundamental design of Windows that's taken a year to correct, and is unfixable on Server 2003.

The critical blunder allows miscreants to completely take over a domain-configured Windows system if it is connected to a malicious network – wirelessly or wired. Most home users shouldn't be hit by this, as they are not usually domain-configured, but it's a massive pain in the ASCII for IT pros because work computers are typically set up to join a corporate-controlled domain.

Plug a corporate laptop, say, into a dodgy network in a cafe, and it's game over. According to Microsoft:

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

"The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle," explained JAS Global Advisors, the security firm that found the MS15-009 flaw.

"Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem. The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects."

The bug (CVE-2015-0008) was discovered over a year ago when global DNS overlord ICANN hired JAS to check out the security of its systems for creating new generic top-level domains. Once it was found, a JAS employee spent a year working with Redmond to build a fix that wouldn't bork everyone's systems.

Microsoft said the flaw is so fundamental, it's "infeasible" to patch Server 2003 to fix it (cough, cough, Server 2003 is reaching its end of life).

“The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems," a spokesman for Microsoft told The Register.

"For customers running Windows Server 2003, we recommend using properly configured VPN solutions when connecting to untrusted networks.”

The issue lies in how Windows handles group policy interaction with domain-configured systems.

For example, a user with a work laptop configured to use a domain could be sitting in a cafe, trying to access files on a corporate network. A man-in-the-middle attacker could modify the ARP tables in the wireless router to point the Windows system at a malicious domain that serves, say, a login.bat file with evil commands in it.

It sounds too easy, right? That's because cryptographic mechanisms and other protections to thwart this kind of attack could be disabled or broken.

How the attack is allowed to work

"A remote-code execution vulnerability existed in how Group Policy received and applied policy data when connecting to a domain," explained Microsoft's security team.

"Concurrently, a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy."

The team continued:

More importantly, SMB Client doesn’t require SMB Signing by default so it is possible to direct the domain related traffic, especially the unencrypted traffic, to attacker controlled machines and serve malicious content to the victims in response. To block this kind of attacks we added the ability to harden the UNC path access within domain network.

The Redmond giant said it's not aware of anyone exploiting this design flaw in the wild.

More patches to apply

There are two other critical patches released. MS15-009 covers 41 reported flaws in Internet Explorer hitting all versions of the browser from version six and above on all operating systems. Visit the wrong website without this patch set installed and you could be pwned.

One of the IE bugs – CVE-2015-0071 – is a privilege-escalation hole, and was exploited in the wild. Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware. The "thought for the day" page was booby-trapped with code that exploited the programming flaws to hijack visitors' PCs during Thanksgiving in 2014, it's claimed.

Adobe patched its bug soon after, thwarting this particular attack.

Microsoft's second critical fix today covers Windows 7 and above, and server software after Server 2008 R2. The flaw covers how the Windows kernel-mode driver deals with certain objects, particularly embedded TrueType fonts.

The remaining six patches are all rated important by Redmond and cover a smaller subset of Microsoft's wares. There's two security fixes for Office, tweaks for Group policy that are presumably related to the design fix, a patch for Flash, and fixes for Virtual Machine and the graphics system. ®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Supply chain blamed amid claims of Azure capacity issues
    Microsoft says it'll move to 'restrict trials and internal workloads to prioritize growth of existing customers'

    Microsoft's Azure cloud is having difficulty providing enough capacity to meet demand, according to some customers, with certain regions said to refusing new subscriptions for services.

    Azure comprises over 200 datacenters globally spread across 60 regions, but reports suggest that over two dozen of these are operating with limited capacity, and that the cloud and IT giant is being forced to prioritize resources in order to serve existing customers.

    According to technology news site The Information, capacity issues are affecting Azure datacenters in Washington State in the US as well as across Europe and Asia, and it claims that server capacity is expected to remain limited until early next year, citing a Microsoft insider.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022