Microsoft patches critical JASBUG Windows flaw

Microsoft has issued an urgent security advisory for a critical flaw in Windows that allows attackers to remotely gain full control of user systems.

Named "JASBUG", the vulnerability affects all computers and devices that are members of corporate Active Directories.

The flaw was discovered by security firm JAS Global Advisers, which reported the vulnerability to Microsoft in January last year. 

Although JAS said Microsoft immediately understood the seriousness of the vulnerability, fixing the problem was more difficult because it was caused by a design problem introduced in Windows 15 years ago, rather than simply a software bug.

The design flaw means devices on corporate networks don't adequately verify the authenticity of the Active Directory server they connect to. 

In order to remedy the flaw, Microsoft was forced to re-engineer core components of Windows, to add several new features.

This meant extensive testing to ensure backwards compatibility, supported configurations, and new documentation to describe the changes was required, a process that took Microsoft over a year.

Microsoft rates the vulnerability in AD Group Policy as critical, and said it allows remote code execution with complete control of user systems.

In order to exploit the vulnerability, users with domain-configured Windows systems only need to be lured to connect to networks under attackers' control.

Once connected, attackers can install software, view, change and delete data as well as create new accounts with full user rights, Microsoft warned.

Computers that connect to remote corporate networks via untrusted networks such as wi-fi hotspots are most at risk from JASBUG, Microsoft said. There are no mitigating factors or workarounds available for JASBUG.

All current versions of Windows desktop and Server operating systems are affected by JASBUG and will receive patches via Windows Update.

Administrators must also apply new AD Group Policy settings to protect against the vulnerability.

But no update is available for Windows Server 2003 - Microsoft said it would require significant re-architecting of the operating system, which is being made obsolete this year.

The open source SAMBA SMB/CIFS file server and Active Directory Domain Controller is unlikely to be vulnerable to JASBUG, project co-founder Jeremy Allison told iTnews.

"This is a client vulnerability when downloading files specified by Group Policy settings. As SAMBA clients don't download Group Policy settings, I don't believe we are affected," Allison said.

He said Microsoft notifies the project's security officers if they find vulnerabilities in the SAMBA code.

Further critical vulnerabilities plugged

The company also issued other updates today as part of its regular Patch Tuesday cycle.

Among these is a set of fixes for 41 vulnerabilities in Microsoft's Internet Explorer web browser. Microsoft rates the patch batch as critical in its MS15-009 security bulletin, since most of the vulnerabilities discovered can be exploited remotely for code execution.

Another flaw rated as critical affects the Windows kernel mode driver. Microsoft has patched six vulnerabilities in Windows that could permit remote code execution if a user opens a specially crafted document, or visits a website with embedded TrueType fonts.