Microsoft just issued a critical software patch to every version of Windows, to fix a bug that has probably existed undiscovered for as long as fifteen years.
Microsoft fixes ancient Windows security bug
The patch resolves a bug that would allow hackers to remotely take control of any Windows device that was connected to an Active Directory domain. In simple terms, that’s a kind of lookup service for Windows networks and is part of every Windows Server. If you’ve ever connected a laptop to an office IT system, you will no doubt have been using Active Directory [Wikipedia].
The flaw was nicknamed Jasbug, and could allow someone to hijack the machine as follows (according to the Microsoft blog (here comes the technical bit!):
This is an example of a ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.
In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat .
On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.100 is now routed through to the attacker’s machine.
When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.
According to JAS Advisors, (the company who found the bug) it was reported back in January 2014 and took over a year to fix because it was a core Windows design issue.
The researchers who discovered the flaw said that “all computers and devices that are members of a corporate Active Directory network may be at risk. If successfully executed, attackers could take full control of a machine, install applications or create new user accounts”.
Patch available for download today
The patch is available for download today via the normal Windows Update, but there’s also a bit more to do for network administrators to protect their domains from attack. This page from Microsoft has more information.
Worryingly, even though Microsoft will support Windows Server 2003 for five more months, the company won’t issue a fix for this problem on that version of Windows because “the architecture to support the fix does not exist on Windows Server 2003”. So if you are using a Windows Server 2003 domain, it might be time to upgrade.
As far as home users go (i.e. you and me), we don’t appear to be directly at risk from the issue, as such domains are mainly used in businesses, but it’s worth installing the patch as soon as possible nevertheless. If you run a copied version of Windows, I would strongly advise considering purchasing a legitimate copy if you care about your online security at all.
To check for the latest Windows Updates, go to Control Panel > Windows Update and hit Check for Updates.