Microsoft patches decade-old Jasbug flaw

February 11, 2015 | 11:29

Tags: #active-directory #flaw #insecurity #jasbug #patch-tuesday #security #update-tuesday #vulnerability #windows

Companies: #microsoft

Microsoft has issued a patch for a critical security vulnerability in its Windows operating system, addressing what the flaw's discoverer describes as 'a fundamental design flaw' in the platform stretching back at least ten years.

Released yesterday as part of the company's regular Patch Tuesday, recently rebranded Update Tuesday, release cycle, the KB300473 software patch is designed to address a vulnerability dubbed Jasbug. Named for JAS Global Advisors, the company which discovered the flaw, Jasbug is rated by Microsoft as Critical - its most severe rating - as it opens the door to remote code execution on Windows device without the need for user interaction. If successfully exploited, the vulnerability grants the attacker full administrative access to the target machine; this access can then be used to gain further access to a corporate network.

It's corporate types that have the most to worry from Jasbug, in fact: the vulnerability only affects systems which are members of Active Directory domains, something which is rare in a home user environment. While Microsoft has focused on attacks which target a system on a local LAN - either as a means of spreading infections around a network or attacks on roaming systems connected to public Wi-Fi networks - JAS has claimed that its original report to Microsoft detailed an attack scenario which targets systems over the internet with no need for physical proximity.

JAS has further claimed that the bug represents a design, rather than implementation, flaw, which helps explain why the company has spent the last year working in secret with Microsoft to see the security hole plugged. 'The vulnerability was discovered by applying "big data" analytical techniques to very large (and relatively obscure) technical datasets. The analysis revealed unusual patterns in the datasets and focused additional expert inspection, the company explained in its factsheet on the vulnerability. 'The combination of sophisticated data analytics by simMachines and JAS’ technical security expertise revealed a fundamental design flaw that has remained elusive for at least a decade.

'Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and Poodle, this is a design problem not an implementation problem,' JAS explained. 'The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.'

The patch is live now for all supported Windows platforms, with full details of its impact available in Microsoft's blog post on the matter. The patch was originally joined by a cumulative patch for Visual Studio 2010 Tools for Office Runtime, KB3001652, which has been withdrawn from Windows Update following reports that it was causing Windows systems to hang during installation - the latest in an ongoing trend for Microsoft to ship patches which cause problems for its users, despite the adherence to a monthly release cycle theoretically giving the company additional time for testing.
Discuss this in the forums
Mod of the Month May 2019 in Association with Corsair

June 13 2019 | 09:59