Thursday, February 12, 2015

Microsoft Fixed #JasBug (MS15-011 & MS15-014)

This 'Patch Tuesday' Microsoft has issued a very critical patch to every supported version of Windows that resolves a bug (JasBug) that may have been open for as long as fifteen years could allow attackers to remotely take control of Windows devices that connect to an Active Directory domain. This bug could allow hacker to take complete control of the machine running Windows operating system in very straightforward manner.

Microsoft said on its blog it could be executed as follows:
"This is an example of a 'coffee shop' attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.
In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\\Share\Login.bat .
On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim's machine.
The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker's machine.
When the victim's machine next requests the file, the attacker's machine will return the malicious version of Login.bat.
 This flaw was reported in January 2014 and took over a year to resolve because it was a core Windows logic design problem i.e. it was congenital.

The researchers who found and studied the bug said that "all computers and devices that are members of a corporate Active Directory network may be at risk. If successfully hacked, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, could view, change, or delete data, or could create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

Although patch is available for download, it's not quite as easy as just installing the update this time around. (for More information refer

The most weird thing is though Microsoft still supporting Windows Server 2003 for a further five months, the company will not be issuing a fix for this problem because "the architecture to support the fix does not exist on Windows Server 2003." Companies who are still using a Windows Server 2003 domain, should seriously consider upgrading.

(Security Counsultant) Vishal

No comments:

Post a Comment