SHARE
Windows Group Policy vulnerability: broken link

Windows computers were in full compromise state because of the critical Windows vulnerability Tuesday being patched by Microsoft. The said changes had put corporate networks at great risk as well. This testing and patch development is for the error dubbed JASBUG, this took years and necessitated additional Group Policy hardening – this feature organizations utilize to centrally control Windows Active Directory.

According to JAS Global Advisors, the said Windows vulnerability serves as the Group Policy’s fundamental design flaw which remained undiscovered for almost a decade. The flaw was discovered together with simMachines, another security company, and reported to Microsoft in January 2014.

Base on the advisory of JAS on their official site, they stated that, unlike the recent high-profile vulnerabilities such as POODLE, Gotofail, Shellshock and Heartbleed, they considered it as “design problem” and not “implementation problem.” According to them, Microsoft needs to re-engineer the operating system’s core components and add quite a few features, too.

Microsoft released security bulletin MS15-011 to address the flaw of remote code execution. Along with this, they also fixed related security bypass of Group Policy issue in the MS15-014. This bulletin is to address the vulnerabilities of network access and to harden group policy which can be utilized to achieve RCE or Remote Code Execution of domain networks.

With regards to MS15-014, this addresses issue on the Groups Policy update that could be utilized to disable client side SMB Signing global requirements, bypassing existing security features in the said product.

The MS15-011 added new functionality which is used to harden the “network file access” to block untrusted access. Attackers control shares whenever Group Policy is refreshing their client machines. The mentioned two updates were essential improvement which aid in protecting domain network.

There was a blog post where security engineers of Microsoft explained that attackers most likely exploit vulnerabilities by utilizing technique such as ARP spoofing in local network to ploy computer to apply and accept wrong configuration data of Group Policy from servers that they control. Once exploitation is successful, these permit attackers to change data, create new accounts or install a program on vulnerable systems.

JAS notify that while this “on-LAN” attack vector undoubtedly of alarm because workers commonly connect company issued computers to “untrusted networks” like those in hotels and coffee shops. They consider this not mainly an attack scenario but more. To prevent attackers from spoofing domain controller, Microsoft added Universal Naming Convention – new feature to harden access with MS15-011 update. This obligates both server and client to authenticate one another before client can access the UNC resources. They also provided settings for checking or encrypting integrity of connections. Microsoft published a knowledge base article which makes the process of adopting the new feature easier.

Unfortunately, the solution provided is not feasible to Windows 2003 server, according to Microsoft. This obligates re-architecting of Group Policy component and other significant parts of operating system. Furthermore, these architectural changes can create incompatibility problem with applications designed to run Windows 2003 Server.

Since their explanation is quite reasonable, those companies who are expecting to get Windows 2004 server security patches by July have felt comforted. Even those who are beyond the scenario of planning to pay for this custom support, the statements made them feel at ease.

In fact, there are millions of Windows 2003 servers which are still running worldwide. According to analysts, migrating to the latest version of operating system will be challenging since entire business software ecosystem was established around the old OS.

LEAVE A REPLY