In February’s Patch Tuesday, Microsoft issued an update to fix a privately reported critical vulnerability in Group Policy that could allow potential attackers to achieve remote code execution (RCE) in domain networks.
If successfully exploited, an attacker could gain complete control of a vulnerable system, install programs, view data and even create additional accounts with admin privileges.
Microsoft announced the critical bulletins MS15-011 and MS15-014 are important updates that would address these network access vulnerabilities and harden group policy:
- “MS15-014 addresses an issue in Group Policy update, which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product.”
- “MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines.
MS15-011 is particularly alarming due to the ease with which a laptop can be subverted to connect to an attacker controlled network, explained Tripwire Security Researcher Craig Young.
“The prevalence of workers using enterprise laptops to work remotely from coffee shops, hotels and airports with unauthenticated WiFi makes it trivial for attackers to simply advertise common network names and get unsuspecting laptops connected.”
Young added a more aggressive attacker could also have the capability to broadcast spoofed messages from a legitimate wireless network, forcing clients to disconnect and then luring them into the attacker’s control.
“This flaw, which has existed for at least a decade, has been known by Microsoft since January 2014 but required extensive changes to core functionality within the Windows operating system,” said Young.
Consequently, the fix for this issue will require more than the standard download and installation process. As Young further explains, enterprises will need to apply a new group policy to the patched workstation.
“The patch provides 3 new settings pertaining to authentication, integrity, and privacy such that the updated clients have the ability to authenticate a valid server, ensure that the security policy has not been tampered with, and that a third-party on the network cannot view the contents of the security policy,” said Young.
The flaw is known to affect Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 2000, Windows XP, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1.