JASBUG

Last updated
JASBUG
CVE identifier(s) CVE- 2015-0008
Date discoveredJanuary 2014;10 years ago (2014-01)
DiscovererJeff Schmidt (JAS Global Advisors)
Affected software Microsoft Windows workstations and servers on an Active Directory domain (from Windows Server 2003 to Windows 8.1)

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 [1] and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. [2]

Contents

The vulnerability allows hackers to remotely take control of Windows devices that connect to an Active Directory domain. [3]

JASBUG is registered in the Common Vulnerabilities and Exposures system as CVE - 2015-0008. [4] [5] The Industrial Control Systems Cyber Emergency Response Team, part of the Department of Homeland Security, issued ICS-ALERT-15-041-01, [6] warning control systems owners that they should expedite applying critical JASBUG fixes.

Microsoft released two patches, MS15-011 and MS15-014, [7] to address JASBUG on the same day the vulnerability was disclosed. These fixes took Microsoft over a year to develop and deploy [8] due to the complexity of the JASBUG vulnerability.

At the time of disclosure, more than 300 million computers were believed to be vulnerable to the exploit. [9]

History

JASBUG was disclosed to the public by Microsoft as a part of "Patch Tuesday," on February 10, 2015. [10]

Background

The vulnerability was initially reported to Microsoft in January 2014 [11] by Jeff Schmidt, founder of JAS Global Advisors. [12] After Microsoft publicly announced the security vulnerability, it garnered the name JASBUG in reference to the role JAS Global Advisors played in discovering the exploit. [13]

Discovery

In 2014, JAS Global Advisors was working on an engagement with the Internet Corporation for Assigned Names and Numbers (ICANN), the organization governing the standards of the Internet, to research potential technical issues surrounding the rollout of new Generic Top Level Domains (gTLDs) on the Internet. [14]

While working on the research, JAS Global Advisors, with business partner SimMachines, [15] uncovered the vulnerability by applying "big data" analytical techniques to very large technical data sets.

Effect

JASBUG principally affects business and government users. Home users are less likely to be affected by JASBUG because they do not use domain-configured computers. [16]

White House cybersecurity advisor Michael Daniel spoke about the importance of addressing JASBUG in a meeting of the Information Security and Privacy Advisory Board of the National Institute for Standards and Technology, and the Office of Management and Budget and the Department of Homeland Security immediately took steps to fix the vulnerability on federal networks. [17]

Suzanne E. Spaulding, serving as Under Secretary for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, mentioned JASBUG in a February 2015 House of Representatives hearing that touched on the potential effect of a DHS funding hiatus. [18]

In the aftermath of JASBUG, various government agencies have updated their technical specifications to mitigate exploit risks. For example, the United States Department of Veteran Affairs decided in May 2015 to "unapprove" the use of Windows Server 2003 based on JASBUG risks. [19]

Exploitation

According to Microsoft, the exploit takes advantage of how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. [20] One likely exploitation of the flaw involves deceiving a user with a domain-configured system into a network controlled by a hacker. [21]

Despite the potential effect, there is no indication that the JASBUG vulnerability was ever used by cyberhackers to access corporate or government computers. [22]

Specific systems affected

JASBUG affects Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1. [23] Windows Server 2003 is also affected, but there will not be a JASBUG patch this platform, as Microsoft has indicated that it is not feasible to build a fix for this version. [24] JASBUG also affects Windows XP and Windows 2000, but no patch will be made available for these operating systems as they are no longer supported by Microsoft. [25]

Bugfix and deployment

Unlike other high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail and POODLE, JASBUG was a design problem, not an implementation problem, making this type of vulnerability unusual and much more difficult to fix. [26] The fix required Microsoft to re-engineer core components of the operating system [27] and to add several new features, including additional hardening of Group Policy, the feature that organizations use to centrally manage Windows systems, applications, and user settings in Active Directory environments. [28]

Microsoft was not able to fix the JASBUG flaw on Windows Server 2003 systems, noting that "The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003." [29]

For unpatched and unpatchable platforms that may be vulnerable to JASBUG, security firms like Symantec recommend that organizations use intrusion prevention systems (IPS) to monitor network activity for possible malicious JASBUG traffic. [30]

Related Research Articles

<span class="mw-page-title-main">Internet Explorer</span> Web browser series by Microsoft

Internet Explorer is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022 for Windows 10 Semi-Annual Channel (SAC), in favor of its successor, Microsoft Edge.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

<span class="mw-page-title-main">Windows Server 2008 R2</span> Fifth version of Windows Server, released in 2009

Windows Server 2008 R2, codenamed "Windows Server 7", is the eighth version of the Windows Server operating system produced by Microsoft and released as part of the Windows NT family of operating systems. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009, shortly after the completion of Windows 7. It is the successor to Windows Server 2008, which is derived from the Windows Vista codebase, released the previous year, and was succeeded by the Windows 8-based Windows Server 2012.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015. The discoverers were able to demonstrate their attack on 512-bit DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.

EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

<span class="mw-page-title-main">Rafay Baloch</span>

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, The Express Tribune and TechCrunch. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. In 2021, Islamabad High court designated Rafay Baloch as an amicus curia for a case concerning social media regulations.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020.

SIGRed is a security vulnerability discovered in Microsoft's Domain Name System (DNS) implementation of Windows Server versions from 2003 to 2019.

PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system. The vulnerability occurred within the print spooler service. There were two variants, one permitting remote code execution (CVE-2021-34527), and the other leading to privilege escalation (CVE-2021-1675). A third vulnerability (CVE-2021-34481) was announced July 15, 2021, and upgraded to remote code execution by Microsoft in August.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

The Microsoft Support Diagnostic Tool (MSDT) is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. In April 2022 it was observed to have a security vulnerability that allowed remote code execution which was being exploited to attack computers in Russia and Belarus, and later against the Tibetan government in exile. Microsoft advised a temporary workaround of disabling the MSDT by editing the Windows registry.

References

  1. Pagliery, Jose (2015-02-15). "Microsoft fixes a serious 15-year-old bug". CNN Money. Retrieved 2015-02-15. If any hackers knew about this since the year 2000, they could have used it to sneak into company computer systems and take complete control.
  2. Walker, Danielle (2015-02-10). "On Patch Tuesday, Microsoft unveils fix for critical Windows flaw 'JASBUG'". SC Magazine. Retrieved 2015-03-10. In a security bulletin, MS15-011, the tech giant revealed that the critical vulnerability affects all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
  3. Williams, Owen (2015-02-10). "Microsoft Patches Massive Flaw In Active Directory". The Next Web. Retrieved 2015-03-10. Today, Microsoft has issued a critical patch to every supported version of Windows that resolves a bug that may have been open for as long as fifteen years could allow attackers to remotely take control of Windows devices that connect to an Active Directory domain.
  4. "CVE - CVE-2015-0008". Cve.mitre.org. 2015-02-10. Retrieved 2015-03-10.
  5. Thomson, Iain (2015-02-10). "PATCH NOW: Design flaw in Windows security allows hackers to own corporate laptops, PCs". The Register. Retrieved 2015-03-10. The bug (CVE- 2015-0008) was discovered over a year ago when global DNS overlord ICANN hired JAS to check out the security of its systems for creating new generic top-level domains.{{cite news}}: External link in |quote= (help)
  6. "Alert (ICS-ALERT-15-041-01) Microsoft Security Bulletin MS15-011 JASBUG". US-CERT. 2015-02-10. Retrieved 2015-03-10. Control systems that are members of a corporate Active Directory may be at risk. ICS-CERT is monitoring this vulnerability and will provide additional information related to control systems as it becomes available.
  7. "MS15-011 & MS15-014: Hardening Group Policy". Microsoft. 2015-02-10. Retrieved 2015-03-10.
  8. Saarinen, Juha (2015-02-10). "Microsoft patches critical JASBUG Windows flaw". ITNews Australia. Retrieved 2015-03-10. In order to remedy the flaw, Microsoft was forced to re-engineer core components of Windows, to add several new features. This meant extensive testing to ensure backwards compatibility, supported configurations, and new documentation to describe the changes was required, a process that took Microsoft over a year.
  9. Gaebler, Ken (2015-02-10). "New JASBUG Vulnerability Escalates The Importance Of Applying Today's Microsoft Patches". Gaebler Resources for Entrepreneurs. Retrieved 2015-03-10. Outside of the Fortune 500, we estimate that another 300 million computers could be affected by the JASBUG security threat.
  10. Hamilton, David (2015-02-10). "Microsoft Issues Security Updates Addressing'JASBUG' Vulnerability in Windows". Web Host Industry Review. Retrieved 2015-03-10. Microsoft released technical patches [for JASBUG] as a part of its "Patch Tuesday" release on 10 February 2015.
  11. Fox-Brewster, Thomas (2015-02-10). "Why Microsoft Took A Year To Fix Critical Windows Bug That Allowed Hackers To Spy On Worker PCs". Forbes. Retrieved 2015-03-10. ...the Redmond tech titan learned about the problem back in January 2014.
  12. Chickowski, Ericka (2015-02-11). "Microsoft Fix For Critical Active Directory Bug A Year In The Making". Dark Reading. Retrieved 2015-03-10. Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.
  13. "Jasbug: Microsoft plugs 15 year old Vulnerability". Der Spiegel. 2015-02-11. Retrieved 2015-03-10. Das Sicherheitsleck wurde nach einer der Firmen benannt, die es Microsoft gemeldet haben. Weil das Unternehmen JAS Global Advisors heißt, heißt die Lücke Jasbug.
  14. Zaharov-Reutt, Alex (2015-02-10). "Critical "JASBUG" vulnerability in Windows clients and servers patched". IT Wire. Retrieved 2015-03-10.
  15. Prince, Brian (2015-02-10). "Microsoft Patches Critical Windows, Internet Explorer Vulnerabilities in Patch Tuesday Update". Security Week. Retrieved 2015-03-10.
  16. Kumar, Mohit (2015-02-10). "15-Year-Old JasBug Vulnerability Affects All Versions of Microsoft Windows". Hacker News, The. Retrieved 2015-03-10. Jasbug vulnerability do [sic] not affects home users because they are not usually domain-configured
  17. Mazmanian, Adam (2015-02-11). "Feds respond to critical Windows flaw". Federal Computer Week. Retrieved 2015-03-10.
  18. "Examining The President's Cybersecurity Information-Sharing Proposal". United States House of Representatives Hearing. 2015-02-25. Retrieved 2015-03-10. That has an impact on our ability to quickly address--identify and address vulnerabilities like the JASBUG vulnerability that has been most recently in the media.
  19. "Windows Server". US Department of Veteran Affairs Website. 2015-05-31. Retrieved 2015-03-10. Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and should only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process.
  20. "Microsoft Security Bulletin MS15-011 - Critical". Microsoft TechNet. 2015-02-10. Retrieved 2015-03-10.
  21. Illascu, Inotu (2015-02-11). "Microsoft Patches Critical Remote Code Execution Glitch in Group Policy". Softpedia. Retrieved 2015-03-10.
  22. "Microsoft fixes critical remotely exploitable Windows root-level design bug". Help Net Security. 2015-02-10. Retrieved 2015-03-10. ...there is no indication that it had been publicly used to attack customers.
  23. "New Windows JASBUG vulnerability requires immediate attention from systems administrators". Symantec. 2015-02-11. Retrieved 2015-03-10.
  24. Goodin, Dan (2015-02-10). "15-year-old bug allows malicious code execution in all versions of Windows". Ars Technica. Retrieved 2015-03-10. Patch now, unless you run 2003, in which case you're out of luck.
  25. Duval, Loic (2015-02-12). "JASBUG, le bug âgé de 14 ans qui fait peur aux entreprises". Tom's Hardware. Retrieved 2015-03-10. Les versions Windows 2000 et XP n'étant plus supportées par Microsoft, il n'existe pas de correctifs.
  26. Wilhelm Aldershoff, Jan (2015-02-10). "BREAKING: Microsoft fixes very critical vulnerability called JASBUG; bigger than Heartbleed and Shellshock". MyCE. Retrieved 2015-03-10.
  27. Freed, Anthony M. (2015-02-10). "Microsoft Updates Core Windows Components to Patch Critical JASBUG Vulnerability". Dark Matters. Retrieved 2015-03-10. In a rare move, Microsoft had to re-engineer some core components of the Windows operating system in order to mitigate a critical design vulnerability that could allow attackers to gain administrator-level privileges on tens-of-millions of devices.[ permanent dead link ]
  28. Constantin, Lucian (2015-02-11). "Critical vulnerability in Group Policy puts Windows computers at risk". CSO Magazine. Retrieved 2015-03-10.
  29. Bott, Ed (2015-02-10). "Microsoft's Patch Tuesday release leaves one big vulnerability unpatched". ZDNet. Retrieved 2015-03-10.
  30. "JASBUG: What is it? How Are You Protecting Your Legacy Windows Systems?". Symantec. 2015-02-17. Retrieved 2015-03-10.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.