Warning: Patch Windows NowFlaw Could Enable Takeover of a Device
Enterprise IT administrators are being urged to immediately patch a flaw that affects every Windows system released for the past 15 years. Attackers could remotely exploit the flaw to take control of a device and run any code of their choice.
The flaw, which was revealed by Microsoft Feb. 10 as part of its monthly "Patch Tuesday" update release, affects every Windows operating system from Windows 2000 and Windows XP through Windows 10 Technical Preview, which was released in January. The bug, which has been labeled CVE-2015-0057, exists in "dead code" - meaning it no longer does anything - in a part of the Windows kernel that handles scrollbar functionality, says Israeli computer and network security vendor enSilo, which says it discovered the bug "a few months ago" and privately reported it to Microsoft, which has detailed it in its MS15-010 Security Bulletin.
The vulnerability could be used by an attacker to gain root-level access to a system. "In other words, a threat actor that gains access to a Windows machine - say, through a phishing campaign - can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization," reverse-engineering expert Udi Yavo, CTO at enSilo, says in a technical analysis of the vulnerability. "The exploit requires modifying only a single bit of the Windows operating system. We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview."
Yavo says he was able to build a working exploit for the old bug, although he pledged to not reveal any related code or more details about how to exploit the vulnerability. But the flaw could soon be targeted by crimeware toolkit builders or added to the Metasploit open source vulnerability penetration testing framework.
"These privilege-escalation exploitable vulnerabilities are very rare - and highly attractive on the underground cybercrime markets," Yavo says in a related blog post.
Microsoft this week released nine security bulletins, including four that address fixes for Windows flaws that can be used to remotely exploit code on vulnerable systems. The company also shipped an update for Internet Explorer that fixes 41 flaws present in IE6 through IE11, including one that was already disclosed.
One of those Microsoft updates - detailed in Windows Security Bulletin MS15-011 - addresses a "critical" flaw in Group Policy which has been labeled CVE-2015-0008. This bug - as with the flaw discovered by enSilo - could be adapted to hack Windows devices. "Exploitation of this vulnerability could allow a remote attacker to take complete control of an affected system," the U.S. Computer Emergency Response Team says in a security alert.
"This [bug] is serious for domain-joined systems, but it requires the vulnerable system to be joined to an attacker's network. So the biggest exposure is likely going to be for traveling work laptops," Christopher Budd, threats communications manager at anti-virus vendor Trend Micro, tells Information Security Media Group. "The impact is system-level code execution, so it's a complete compromise of the system."
US-CERT says it "strongly recommends administrators prioritize the application of the patch, and concurrently review and test the necessary configuration changes." Those changes, outlined in a related Microsoft Knowledge Base article, include using a new Windows feature called Universal Naming Convention Hardened Access, which the update installs. But the feature is not enabled by default. It must be activated via a Group Policy setting, and updated Windows systems then rebooted.
Budd recommends immediately patching this flaw. "There's no indication that there's a viable attack or exploit code out there for this yet, but the exploitability index rating is '1,' the highest, so this definitely should be a high priority for enterprise systems," he says. "The best advice for enterprise administrators is to apply this update as soon as possible. That and a good program of mature security solutions, including vulnerability shielding, can help - especially in this case, as there are no mitigating factors or workarounds available."
Warning: Windows XP, 2000, 2003
Patches for the flaw in Group Policy - addressed in MS15-011 - have been released for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. But related updates are not available for Windows 2000, Windows XP, or Windows Server 2003, and US-CERT warns that there are no workarounds available for securing any affected operating systems.
While Microsoft no longer supports Windows 2000 or XP, the lack of a Windows Server 2003 fix - which remains supported through July 14, 2015 - is due to related technical challenges. "We determined that implementing these changes in Windows Server 2003 SP2 would require such comprehensive architecture changes that it would destabilize the system and result in application compatibility problems," Microsoft says. "We continue to recommend that customers who are security-conscious upgrade to our latest operating systems to keep pace with security threats and benefit from robust, modern operating system protection."
Microsoft's patches follow what's already been a busy year for Adobe, which in recent weeks has released patches for three separate zero-day vulnerabilities in its Flash plug-in for Web browsers.
"All of the known issues have been very quickly addressed by Adobe, typically turning around a fix in less than a week," Wolfgang Kandek, CTO of cloud security firm Qualys, says in a blog post. "Still, it is worrisome to see the amount of problems that cybercriminals are able to find in software that we all have installed and use in our daily lives."
News writer Jeffrey Roman also contributed to this story.