Another month, another Patch Tuesday, but this release has a special sting in the tail: a flaw in the fundamental design of Windows that's taken a year to correct, and is unfixable on Server 2003.
The critical blunder allows miscreants to completely take over a domain-configured Windows system if it is connected to a malicious network – wirelessly or wired. Most home users shouldn't be hit by this, as they are not usually domain-configured, but it's a massive pain in the ASCII for IT pros because work computers are typically set up to join a corporate-controlled domain.
Plug a corporate laptop, say, into a dodgy network in a cafe, and it's game over. According to Microsoft:
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
"The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle," explained JAS Global Advisors, the security firm that found the MS15-009 flaw.
"Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem. The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects."
The bug (CVE-2015-0008) was discovered over a year ago when global DNS overlord ICANN hired JAS to check out the security of its systems for creating new generic top-level domains. Once it was found, a JAS employee spent a year working with Redmond to build a fix that wouldn't bork everyone's systems.
Microsoft said the flaw is so fundamental, it's "infeasible" to patch Server 2003 to fix it (cough, cough, Server 2003 is reaching its end of life).
“The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems," a spokesman for Microsoft told The Register.
"For customers running Windows Server 2003, we recommend using properly configured VPN solutions when connecting to untrusted networks.”
The issue lies in how Windows handles group policy interaction with domain-configured systems.
For example, a user with a work laptop configured to use a domain could be sitting in a cafe, trying to access files on a corporate network. A man-in-the-middle attacker could modify the ARP tables in the wireless router to point the Windows system at a malicious domain that serves, say, a login.bat file with evil commands in it.
It sounds too easy, right? That's because cryptographic mechanisms and other protections to thwart this kind of attack could be disabled or broken.
How the attack is allowed to work
"A remote-code execution vulnerability existed in how Group Policy received and applied policy data when connecting to a domain," explained Microsoft's security team.
"Concurrently, a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy."
The team continued:
More importantly, SMB Client doesn’t require SMB Signing by default so it is possible to direct the domain related traffic, especially the unencrypted traffic, to attacker controlled machines and serve malicious content to the victims in response. To block this kind of attacks we added the ability to harden the UNC path access within domain network.
The Redmond giant said it's not aware of anyone exploiting this design flaw in the wild.
More patches to apply
There are two other critical patches released. MS15-009 covers 41 reported flaws in Internet Explorer hitting all versions of the browser from version six and above on all operating systems. Visit the wrong website without this patch set installed and you could be pwned.
One of the IE bugs – CVE-2015-0071 – is a privilege-escalation hole, and was exploited in the wild. Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware. The "thought for the day" page was booby-trapped with code that exploited the programming flaws to hijack visitors' PCs during Thanksgiving in 2014, it's claimed.
Adobe patched its bug soon after, thwarting this particular attack.
Microsoft's second critical fix today covers Windows 7 and above, and server software after Server 2008 R2. The flaw covers how the Windows kernel-mode driver deals with certain objects, particularly embedded TrueType fonts.
The remaining six patches are all rated important by Redmond and cover a smaller subset of Microsoft's wares. There's two security fixes for Office, tweaks for Group policy that are presumably related to the design fix, a patch for Flash, and fixes for Virtual Machine and the graphics system. ®