Microsoft just released a patch for a bug that has been around for about 15 years. It could allow attackers to take complete control of all PCs running all supported versions of windows. Microsoft claimed the severity of the threat was “Critical” and even warranted an alert from the Department of Homeland Security and various other major cybersecurity companies.
The “Jasbug” glitch was discovered about a year ago by an independent researcher named Jeff Schmidt of JAS Global Advisors, who notified Microsoft and together they patched it. It took an entire year to patch due to its deep roots in the Microsoft Operating system. It effects all versions of Windows from Vista to 8.1. Here is an excerpt from the official Microsoft Blog describing a potential attack that could be done with this bug:
- In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat .
- On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
- The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
- The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.100 is now routed through to the attacker’s machine.
- When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.
The bug allows attackers to remotely execute malicious code received when connecting to a domain, simultaneously, a group policy flaw can cause it to retrieve valid security policies reverting to the default. This effectively allows the attacker to bypass the authorization needed to access another machine.
– Tien Le