Microsoft MSFT +0.42% will today squeeze out its monthly Patch Tuesday list of fixes for a range of vulnerabilities affecting its various software types. For one of the three issues rated “critical”, it took more than 12 months to fix the problem. If Microsoft was dealing with Google GOOGL +1.07%, which has given all companies a 90-day deadline to address bugs Googlers find, it would have been in a spot of bother. It can be thankful it was working alongside the more patient Jeff Schmidt, CEO of JAS Global Advisors, a professional services partnership.
Schmidt told Forbes Microsoft dealt with the issue, which affects almost all businesses managing Windows systems, in the correct manner, even if the Redmond tech titan learned about the problem back in January 2014. The flaw resides in Active Directory, a core component of Windows and a “special-purpose” database used by IT for all kinds of management processes, including handling of network logins. It’s not a server-side issue, however, but a client issue. According to Schmidt, in many cases workers’ devices don’t carry out adequate checks on the authenticity of the Active Directory server they’re getting orders from. They’re essentially “too trusting”, he said.
In particular, they are guilty of “misuse” of the Domain Name System, which changes URLs like Forbes.com into a machine-readable number, for authentication, Schmidt said. An attacker could trick employees’ PCs, tablets or smartphones into connecting to a spoofed Active Directory server, he added, noting the potential for such “man-in-the-middle” attacks made this vulnerability a dreaded remote code execution flaw and particularly dangerous when users are sat on a remote network, not the corporate one, such as when they’re using public Wi-Fi at a coffee shop. It’s been dubbed JASBUG (all bugs require jazzy nomenclature in 2015) and could be used to spy on employees’ corporate activities.
“This is a real bummer,” said Schmidt, noting that this was more of a design flaw than a coding issue. And it stems back to the year 2000, 15 years ago. But there have been no known exploits of the vulnerability.
Schmidt said Microsoft had to go right into the “bowels” of Windows to eliminate JASBUG, hence the lengthy remediation process. “The urgent message here is that admins of Microsoft networks need to pay attention to this. Start staging now. They shouldn’t rush but they need to pay attention.”
Though Schmidt was satisfied with Microsoft’s response, others haven’t been so kind to the firm, which has been forced to put out numerous fires in related departments. Rapid7 director of engineering Dirk Sigurdson just yesterday pointed to an “egregious” weakness in the Outlook app for iOS and Android, which ignores security policies set by IT admins over ActiveSync. “If your organization is dependent on ActiveSync policies in anyway you should immediately block ActiveSync access to Outlook for iOS and Android,” herecommended.
Towards the end of January, Microsoft was under fire for some supposedly insecure design decisions in the same mobile app. That same month, it wascriticised over a decision to keep advance warnings for Patch Tuesday for paying customers, effectively locking out those who couldn’t afford the service, which was previously freely available to all. And it’s had a heated tussle with Google, which released details on a slew of Microsoft flaws after the latter didn’t meet the 90-day deadline.
Microsoft had not responded to a request for comment at the time of publication.
Schmidt told Forbes Microsoft dealt with the issue, which affects almost all businesses managing Windows systems, in the correct manner, even if the Redmond tech titan learned about the problem back in January 2014. The flaw resides in Active Directory, a core component of Windows and a “special-purpose” database used by IT for all kinds of management processes, including handling of network logins. It’s not a server-side issue, however, but a client issue. According to Schmidt, in many cases workers’ devices don’t carry out adequate checks on the authenticity of the Active Directory server they’re getting orders from. They’re essentially “too trusting”, he said.
In particular, they are guilty of “misuse” of the Domain Name System, which changes URLs like Forbes.com into a machine-readable number, for authentication, Schmidt said. An attacker could trick employees’ PCs, tablets or smartphones into connecting to a spoofed Active Directory server, he added, noting the potential for such “man-in-the-middle” attacks made this vulnerability a dreaded remote code execution flaw and particularly dangerous when users are sat on a remote network, not the corporate one, such as when they’re using public Wi-Fi at a coffee shop. It’s been dubbed JASBUG (all bugs require jazzy nomenclature in 2015) and could be used to spy on employees’ corporate activities.
“This is a real bummer,” said Schmidt, noting that this was more of a design flaw than a coding issue. And it stems back to the year 2000, 15 years ago. But there have been no known exploits of the vulnerability.
Schmidt said Microsoft had to go right into the “bowels” of Windows to eliminate JASBUG, hence the lengthy remediation process. “The urgent message here is that admins of Microsoft networks need to pay attention to this. Start staging now. They shouldn’t rush but they need to pay attention.”
Though Schmidt was satisfied with Microsoft’s response, others haven’t been so kind to the firm, which has been forced to put out numerous fires in related departments. Rapid7 director of engineering Dirk Sigurdson just yesterday pointed to an “egregious” weakness in the Outlook app for iOS and Android, which ignores security policies set by IT admins over ActiveSync. “If your organization is dependent on ActiveSync policies in anyway you should immediately block ActiveSync access to Outlook for iOS and Android,” herecommended.
Towards the end of January, Microsoft was under fire for some supposedly insecure design decisions in the same mobile app. That same month, it wascriticised over a decision to keep advance warnings for Patch Tuesday for paying customers, effectively locking out those who couldn’t afford the service, which was previously freely available to all. And it’s had a heated tussle with Google, which released details on a slew of Microsoft flaws after the latter didn’t meet the 90-day deadline.
Microsoft had not responded to a request for comment at the time of publication.