Microsoft patches critical Windows bugs

Microsoft has used its latest Patch Tuesday to release fixes for 56 vulnerabilities, including a critical flaw that could allow remote code execution in all supported versions of Windows.

The company has issued patches for the so-called JASBUG, a vulnerability that can affect all computers and devices that are members of corporate Active Directories.

The bug, which was discovered by security researchers JAS Global Advisors, took Microsoft more than a year to fix because it involved re-engineering a core design component of Windows, IT News reported.

A design problem introduced in Windows 15 years ago is at the core of the exploit, which means that devices on corporate networks don't adequately verify the authenticity of an Active Directory server before connecting.

On unpatched systems, an attacker would need only to lure users onto an untrusted network - for example, a Wi-Fi hotspot at a coffee shop. Once connected, the attacker could potentially install software, view and modify data and create new accounts on the devices with full access rights.

The vulnerability affects all currently supported versions of Windows, from Windows Server 2003 to Windows 8.1. Microsoft has issued fixes for all versions barring Windows Server 2003, stating that patching would require a major redesign, to the extent that there would be no guarantee that applications designed to work on the OS would still run on an updated system.

Windows Server 2003 will enter its end-of-life phase in July, after which it will no longer be supported by Microsoft.

The patches for all other supported versions are listed as critical updates, meaning Microsoft recommends implementing the fixes as soon as possible.

Microsoft's Patch Tuesday fixes include two other bundles marked as critical, including one resolving 41 vulnerabilities in Internet Explorer. The worst of these could also allow remote code execution if a user views a specifically created page using the browser.

The other update fixes six vulnerabilities in a Windows kernel-mode driver that could allow remote code execution if a user opens a specially crafted document or visits an untrusted website containing embedded TrueType fonts.

The company has also pushed out two updates for Microsoft Office marked important, fixing bugs that could potentially allow for remote code execution and the bypass of security features respectively.

Four more important updates to various Windows components address the potential for security feature bypass, elevation of privilege and information disclosure.

Microsoft's practice of generally only pushing out patches once per month has come under scrutiny lately, after Google's Project Zero publicised details of unfixed vulnerabilities in Microsoft software before a fix was issued on three separate occasions.

Google was following its policy of giving software vendors 90 days to fix a vulnerability before it is publicly disclosed. But Microsoft had called on the search giant to give it more time to ensure a fix is in place before a vulnerability is disclosed, in the interest of protecting users.

Some security experts believe Microsoft's turnaround time for addressing major vulnerabilities is too slow considering the ubiquity of Windows and other Microsoft software.

Image courtesy Microsoft