In a security bulletin, MS15-011, the tech giant revealed that the critical vulnerability impacts all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
JAS Global Advisor and simMachines discovered the vulnerability early last year and reported the issue to Microsoft in January 2014, a fact sheet published by JAS reveals. The bug, assigned the ID CVE-2015-0008, apparently took Microsoft quite some time to remediate because it impacts core components of the Windows operating system, the company said.
“All computers and devices that are members of a corporate Active Directory may be at risk. The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”
JAS, which referred to the issue as a “fundamental design flaw,” later added that the patch required Microsoft to “re-engineer core components of the operating system and to add several new features.”
In its security bulletin, Microsoft alerted users that one of its affected products, Windows Server 2003, did not receive an update, apparently due to this very reason.
“The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003,” Microsoft said in its bulletin. “To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.”
The tech giant notes that an attacker exploiting JASBUG could gain complete control of a targeted system, to go forth and install programs; delete, alter or peruse users’ data; or create new accounts with full user rights.
In addition to the fix for JASBUG, the Patch Tuesday update included two other critical patches – MS15-010, which resolves six RCE vulnerabilities in Windows kernel-mode driver, and MS15-009, which addresses a whopping 41 bugs in Internet Explorer via a cumulative update for the web browser.
The six remaining patches in Microsoft’s February update were rated “important,” and remediated vulnerabilities in Microsoft Office that could allow RCE and security feature bypass, and bugs in Windows that could allow elevation of privilege, security feature bypass and information disclosure. Also included in the “important” bulletins was a fix, MS15-017, for a vulnerability in Virtual Machine Manager (VMM) which could give an attacker elevated privileges.