Site icon Sophos News

Update Tuesday wrap-up, February 2015 – don’t let JASBUG distract you

So far, Adobe doesn’t seem to have put out any fixes for Update Tuesday [2015-02-11T08:00Z].

Perhaps the company feels it’s ahead of the game this month, having put out three “out-of-band” emergency updates since January’s Update Tuesday?

Anyway, no matter, because Microsoft’s updates have more than made up for it, even if only in the excitement they’ve generated.

Here comes JASBUG

For better or for worse, two of Microsoft’s nine bulletins for February 2015 have stolen the spotlight.

These vulnerabilities are MS15-011 and MS15-014, and they both relate to Microsoft’s Group Policy system.

They’ve acquired a high profile for a number of reasons:

The elevator summary for this brace of bugs is as follows.

When a computer connects to an Active Directory network, the server carefully authenticates the client before allowing it at any files.

But the client doesn’t necessarily authenticate or verify the server, or can be tricked into not doing so. (Old-school security, remember, was always about protecting the network from dodgy outsiders, rather than the other way around.)

So, in some cases, when you try to fetch files from certain file shares, an attacker may be able to redirect your network traffic to an imposter server.

Your Windows client software won’t notice the switch, so the crook can then feed you imposter files, including malware-laden, booby-trapped programs, scripts or documents.

Don’t forget the rest

The publicity that has surrounded JASBUG – curiously, JAS Global Advisors, one of the companies that helped find it, actually decided to name the flaw after itself – has a downside.

Indeed, JASBUG is a serious hole that puts corporate networks at risk, and, if exploited successfully, makes RCE trivially easy, because the crooks get to feed you fully-formed imposter files.

But be careful that you don’t let JASBUG overshadow the other fixes in the February 2015 Update Tuesday repertoire.

Notably, beware of deferring Microsoft’s other fixes “until the biggie is patched,” not least because just applying the update isn’t quite enough to sort out JASBUG, although a regular update will fix the others.

Unfortunately, there are plenty of others this month.

Three of these give the crooks a chance at RCE exploits on almost any Windows computer, whether it’s logging on to an Active Directory network or not:

Patch the lot!

So, for all that your network administrators at work might be sweating the most right now about JASBUG, don’t take that attitude home with you.

At home, where you probably don’t even use Active Directory or GPOs, JASBUG most likely won’t affect you at all.

But the three bugs listed above in Explorer, Office and the kernel itself could let a crook take over your computer at any time.

And remember that kernel vulnerabilities, where a file opened by a user can compromised the entire operating system, are essentially “trifecta bugs,” combining RCE, Security Bypass and EoP (elevation of privilege) into one Big Bang.

Notably, even the Word Viewer, which many people use as a “risk-reduced” version of Office for looking at untrusted files, could put you at risk of booby-trapped web downloads or email attachments.


(Audio player not working? Listen on Soundcloud.)

The bottom line

You know what we’re going to say.

It may sound trite, but it never gets old: patch early, patch often.

→ For a full list of this month’s fixes, please see the SophosLabs Vulnerabilities page.

Patchwork letters and background of denim cloth courtesy of Shutterstock.

Exit mobile version