It’s Patch Tuesday again and it’s really time you paid attention. A lot of attention. MS15-011 covers a security issue that, were I in charge of the ratings names, I would rate as Super-critical – because of the potential for exploitation more than its potential impact. If you have anyone taking a domain-joined workstation outside the corporate network, patch it now.
At present, there are no workarounds. If you have a domain-joined machine on a hostile network, it can be compromised. Test and patch today.
Jeff Schmidt of JAS Global Advisors discovered the vulnerability while doing research for ICANN and responsibly reported it to Microsoft. You can read more about the work that led to this discovery here. Microsoft immediately took action made this fix available. Now it’s up to admins to deploy it.
So what’s the big deal? Researchers found that any domain-joined machine could be tricked into processing Group Policy Objects (GPO) from rogue/fraudulent domain controllers. GPOs can deploy software, execute scripts, reconfigure services, add or remove permissions to the registry, add or remove keys to the registry, copy over files, and so on. They also execute with the elevated privileges of the operating system. This is usually a good thing since it allows admins to configure their clients, deploy software and do myriad tasks that would be impossible to do manually.
In this case, an attacker who has a server hosting shares that match the SYSVOL format of Active Directory Domain Controllers and that can control DHCP and DNS on a network, can trick a machine which is domain-joined to connect to a share and process all GPOs within that share, including scripts, configuration and software deployment. It’s not an attack that is going to lead to the next class of malware, but if an attacker stands up a rogue access point, they can manipulate the network to compromise vulnerable machines and that includes pretty much every laptop your company owns today.
This vulnerability impacts all supported Windows operating systems which are domain-joined. Machines in workgroup mode do not apply GPOs, so are not at risk from this. Of note is that Windows Server 2003 is vulnerable, but will not be patched, as the patch would significantly alter the core operating system and could render third-party applications unable to run. This should not actually be a problem for you, since any 2003 servers you have are probably running in your datacenter and are not apt to go down to the local coffee shop and get on a hotspot. However, you do want to make sure if you have any developers running 2003 VMs on their laptops, they do not connect them to unknown public networks.
And just in case you still have some XP laptops floating around, you either need to seize them or reconfigure your VPN software so that they must get onto the corporate network before they can do anything else, and hard-code the DNS server addresses because of course XP is well past its end of life and will not be receiving an update for this. If you needed justification to upgrade, here’s plenty. More importantly, if you’ve been delaying you patch strategy it’s high time you started.