Follow Slashdot stories on Twitter


Forgot your password?
Windows Microsoft Security IT

Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug 136

An anonymous reader writes "In this month's Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Reader jones_supa writes, though, that the most recent patch rollout came with a bug of its own, since corrected: the company apparently botched a rollup update for Visual Studio 2010 Tools for Office Runtime: "There is an issue with KB3001652: many users are reporting that it is locking up their machines while trying to install it. It does not seem that this patch is doing any other damage though, such as bricking the operating system. These days Microsoft appears to be reacting quickly to this kind of news as it looks like the patch has already been pulled from Windows Update."
This discussion has been archived. No new comments can be posted.

Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug

Comments Filter:
  • by ihtoit ( 3393327 ) on Thursday February 12, 2015 @10:37AM (#49037775)

    I read this just SIX MINUTES after I installed the bloody office runtime update.

    Which, lucky me, didn't lock the system up. It seems to have installed pretty painlessly.

    (wonder if that could be anything to do with the fact that I don't have Office installed?)

    • by Bacon Bits ( 926911 ) on Thursday February 12, 2015 @10:47AM (#49037859)

      It might be an extremely rare issue. Following the links in the article, the last update they pulled in August of 2014 was pulled because it was causing blue screen errors for 0.01% of users [], but they pulled it anyways.

    • by VGPowerlord ( 621254 ) on Thursday February 12, 2015 @02:32PM (#49039933)

      I read this just SIX MINUTES after I installed the bloody office runtime update.

      Microsoft already released a fixed version at least 12 hours before /. posted this story... and pulled the buggy version some hours (8?) before that.

      In other words, by the time this story was posted, it was no longer relevant.

    • by WasteOfAmmo ( 526018 ) on Thursday February 12, 2015 @03:37PM (#49040705) Journal

      After some investigation it looks like the update may not have been configured to do a silent install properly and actually hangs as it is waiting for user input on an invisible dialogue box.

      If you have a machine that does hang we have found the following:
      1. wait until there is virtually no disk activity (counting on you have a light that shows you) and then power the machine down, or
      2. use either PowerShell remoting or psexec to kill the two processes involved in the update: "Setup" and "vstor_redist".
      With PowerShell: Invoke-Command -ComputerName hostname -ScriptBlock {Stop-Process -Name Setup,vstor_redist -Force}
      With PSExec something like this will work:
      Psexec \\hostname cmd
      Taskkill /im Setup /f
      Taskkill /im vstor_redist /f

      If the machine is doing a number of updates killing the two processes above will allow the machine to continue with the rest of the updates.

      Of course the standard disclaimers apply: No guarantees the above will help and not harm you computer, your mileage may vary, batteries not included, objects in code are buggier than they appear, yadda, yadda.

  • by jfbilodeau ( 931293 ) on Thursday February 12, 2015 @10:46AM (#49037849) Homepage

    Why would a patch for an IDE lock up an OS?

    Is Microsoft able in any way to create products that are not intractably entrenched in their OS?

    • by Rich0 ( 548339 )

      In the case of VB it might have to do with the way it installs a debugger (assuming it still does that - has been ages since I've used it).

      It is still a stupid design. In Linux I can debug a process without elevated privileges whatsoever. Now, messing with kernel debugging tools could potentially crash your system and requires elevated privileges, but, well, you're messing with the kernel.

      Now, I could see a botched installer going nuts and killing other processes or whatever, requiring a user to log off a

      • by jfbilodeau ( 931293 ) on Thursday February 12, 2015 @10:56AM (#49037921) Homepage

        "killall --user myself --signal SIGKILL"

        Sounds like the type of code a VB developer would write on Linux. :P

        • by Rich0 ( 548339 )

          "killall --user myself --signal SIGKILL"

          Sounds like the type of code a VB developer would write on Linux. :P

          Just an illustration, but I have run stuff like this to clean up orphan processes. If you're running systemd there are also settings you can change which will cause it to clean up orphan processes as well (just don't do this if you like to leave stuff running under screen and so on).

    • by Pope Hagbard ( 3897945 ) on Thursday February 12, 2015 @11:06AM (#49038007) Journal

      It's not a patch for the IDE, it's for the runtime for programs built with that version of Visual Studio (there are such runtimes for all versions of VS). It sounds like the computer can freeze during patch installation.

    • Historically, they've used APIs the rest of us don't see, and since this is also a debugger and who knows what else ... it's probably embedded quite deeply into the OS.

      Part of the problem is Microsoft's own software has pretty much always been intractably entrenched in the OS, and they've never seen that as an issue.

      It doesn't sound like a modular architecture .. it sounds like they just view all of this as one monolithic thing.

      Which is probably why they have a terrible track record of supporting other plat

    • I've seen this issue twice (we have a few VS2010 enabled machines). If you apply the patch by going into the Windows Update screen it will simply attempt to install in an infinite loop and you can simply end the process using the task manager. If you shutdown the system while the patch is pending to be installed, Windows will attempt to perform the update before completing the shutdown procedure. This is what creates the appearance of a lock up. Because the patch never appears to end, it remains in shutdown

  • I updated immediately after release on 2/10, but I don't have the patch mentioned. I presume that is because I don't have Visual Studio installed?

    • by eyenot ( 102141 )

      Probably so. I just checked the incoming updates and the problematic one was in the list, and I do have VS2010 installed. However, I did not install the particular subgroup of tools that the patch is mentioned to target. Good thing I crawled through the list looking for the specific KB#'s of incoming updates and unchecked it. If I were less cautious I would have been hitting "Install" feeling safe under the assumption that since I didn't have those tools installed in VS2010 that I would not be targeted for

    • by Anonymous Coward
      Visual Studio Tools for Office (VSTO) is a runtime - you often don't know you have it installed as it would come as a dependency with another application. It is generally safe to say that if you don't have MS Office installed, you don't have VSTO installed either because the applications written with VSTO are generally ad-ins for Office. Things like WebEx scheduling ad-ins for MS Office Outlook, etc.
  • by Bacon Bits ( 926911 ) on Thursday February 12, 2015 @10:53AM (#49037897)

    The article says the patch has already been updated and is safe to install.

    • Yes, except... if your machine still has updates outstanding then from what we have seen it is best if you "check for updates" again before installing them. It looks like if the patch was already downloaded then it will install unless you refresh by checking for updates again before installing.

  • Apparently the update left out a serious universal XSS vulnerability in IE11 unpatched. Source []
    Vulnerability Full Disclosure - 31 Jan 2015 []
  • No patch for XP (Score:1, Flamebait)

    by ugen ( 93902 )

    How convenient that 15% of all Windows computers are (and will remain) vulnerable to this problem (yes, I mean Windows XP). Good one.

  • Sad Hacker (Score:5, Funny)

    by sir-gold ( 949031 ) on Thursday February 12, 2015 @11:10AM (#49038029)

    Somewhere in the world, there is a hacker crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years.

    • I think you meant, "Somewhere in the world, there is a **script-kiddie** crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years."
      • I don't know about that. It looks like somebody would have had to find the exploit and kept quiet. The vague language in the summary made it sound serious enough that selling tools for it would probably make a headline or two. Remote access, full admin control, deleting files (gasp), actually did someone just confuse a movie review of Blackhat with a real event?

      • The script kiddie would have no idea that the security hole they were exploiting was fixed until they suddenly find out that their l33t hax0r t00lz no longer work.

  • The XP Killer? (Score:5, Insightful)

    by bill_mcgonigle ( 4333 ) * on Thursday February 12, 2015 @11:38AM (#49038225) Homepage Journal

    We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.

    The security bulletin [] is vague, as usual, but it does say:

    A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.

    An attacker who successfully exploited this vulnerability could take complete control of an affected system and then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by improving how domain-configured systems connect to domain controllers prior to Group Policy accepting configuration data. ...

    Although Windows Server 2003 is an affected product, Microsoft is not issuing an update for it because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. Microsoft recommends that security-conscious customers upgrade to a later operating system in order to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.

    Which would seem to put the XP/2003 lineage one malware download away from connecting to a botnet that spoke just enough Domain protocol to exploit it and being pwned.

    NSA could have such an exploit ready next week, Russian mafia in a month. The Prize is controlling close to 19% of the installed base.

    • by Dwedit ( 232252 ) on Thursday February 12, 2015 @11:59AM (#49038409) Homepage

      Everyone runs Admin on XP anyway, so privilege escalation is less of a problem than it could be.

    • Re:The XP Killer? (Score:5, Informative)

      by tlhIngan ( 30335 ) <slashdot@wo[ ]net ['rf.' in gap]> on Thursday February 12, 2015 @01:41PM (#49039361)

      We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.

      It only affects domain-joined PCs. If you're running XP Home (can't join a domain to begin with), then it really doesn't affect you.

      It's a basic downgrade attack - similar to how those TLS bugs were done. You force the client and/or server to revert to an older less secure authentication protocol and then use that to get your way in.

      And most businesses have moved off XP.

      • by antdude ( 79039 )

        Are there still that many business using old Windows XP Pro SP3 with domain connections?

  • by jeffasselin ( 566598 ) <> on Thursday February 12, 2015 @11:44AM (#49038265) Journal

    One very important part of this latest vulnerability is that patching your systems is NOT ENOUGH. The patch is not so much a fix as an entirely new security functionality which must be configured properly.

    It is required to configure a group policy to harden your systems. Any domain-joined system must have both the patch installed and a group policy setup to force the system to use secure authentication and validation mechanism on any sensitive share. Domain shares such as NETLOGON and SYSVOL are an obvious priority, but any share used for software deployment or script execution must be similarly listed.

    Make sure you read the KB article and take the proper steps to secure your systems: []

  • by organgtool ( 966989 ) on Thursday February 12, 2015 @11:55AM (#49038383)
    Why is it that this bug doesn't have a fancy name like Heartbleed and Shellshock? Given that this bug will allow an attacker to completely dominate the target machine, I recommend the name "Skullfuck".
    • Actually the vulnerability has been nicknamed "JASBUG". JAS Global Advisors founder Jeff Schmidt cooperated with Microsoft to fix the bug behind the scenes during 2014, while he was working an engagement with ICANN.
      • Damn, sad to hear that... WindowPain would have been a better fit. That or Glasscutter since, you know, it lets pretty much anyone cut a huge hole in Windows.
      • Maybe they should have called the patch "ICANN FIXIT".
    • by ihtoit ( 3393327 )

      Seconded. I'm surprised nothing called "Skullfuck" has hit the security newswires to date...

  • After successfully forcing the machine to reboot into safe mode last night (to stop a perpetual cyclic restart) I found that the screen fonts were being incorrectly rendered to the point of being unreadable. Hours later it turned out to be KB3013455, now uninstalled. Today several sites say that this affects Vista and several flavours of Windows Server.
  • Everywhere I look people still blissfully using completely insecure authentication methods for VPN access effectively broadcasting plaintext passwords to anyone snooping the wire... but hey at least if someone tricks you into connecting to their evil network Microsoft has your back.

    Would love an education how this bug is worthy of mention while other much more egregious issues such as true type vulnerabilities affecting anyone who browses to an attacker controlled website were also patched.

    • on patch day, not only the trutype thingie got fixed, but 35 other remote code executions in MSIE.
      Shows code quality.

  • The fine article is quite skimpy on the details about who is vulnerable. Throw in a little "If attacked" at the beginning of the sentence and then tack on all sorts of scary things. Sort of like, "If zombies were real." then write a whole host of scary things.

    From what I could make out, the bug is in credential sharing across a network. If some computer configured to be part of remotely administered network "joins" the network controlled by the attacker, then the attacker can get admin privilege. Most hom

    • by skids ( 119237 )

      So it would involve some social engineering to get the user to run a malware trojan

      Not even wrong. Any machine joined to a domain can be tricked into believing another machine is the server in that domain, and then that other machine installs a new group policy disabling all the protections set up by the legitimate domain admin. No social engineering required, just a way to successfully deliver forged packets or poison DNS.

  • by Kernel Kurtz ( 182424 ) on Thursday February 12, 2015 @02:13PM (#49039697) Homepage

    Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team. []

  • Is Windows XP affected?

    • yes. and not patched.
      like windows 2003, which is stull in support, but so badly designed that a patch is not possible.

Never buy what you do not want because it is cheap; it will be dear to you. -- Thomas Jefferson