Researchers bypass protections on all Window versions by modifying 1 bit

In all, Microsoft Security Response Center said it released nine security bulletins, three rated Critical and six rated Important, to address a total of 56 CVEs in Windows, Office, IE and Microsoft Server software this week.

Another Patch Tuesday, another botched patch

Some Sans Internet Storm Center forum users reported that a Microsoft patch for KB 3001652 was causing machines to hang, to freeze, and never finish installing. The weird part is that KB 3001652 was an update for Visual Studio 2010 Tools that Microsoft rolled out in October 2014.

Nevertheless, ISC user AnAdmin said, “It might have been ‘published’ in October but until about 30 minutes ago, it was being pushed out with this AM’s updates and hanging up machines….MS has pulled KB3001652 from current Windows Update. KB3034196 for IE11 appeared after KB3001652 was pulled by MS.”

InfoWorld’s Woody Leonhard reported that Microsoft re-released KB 3001652; he also aggregated the pain and frustration the botched patch was causing users before Microsoft finally pulled it.

Satya Nadella, come on dude! While I don’t know who all you laid off at Microsoft, it surely seems like you need QA testers - or something - so Microsoft would stop releasing cluster-flubbed fixes for flaws.

One bit to rule them all

Breaking Malware certainly snagged attention when it wrote about “One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit.”

After referencing the critical security update MS15-010, which included the fix for the flaw publicly disclosed by Google’s Project Zero team and five privately reported vulnerabilities in Windows kernel-mode driver, Udi Yavo explained that the patch included a fix for CVE-2015-0057, an important-rated vulnerability responsibly disclosed to Microsoft a few months ago.

As part of our research, we revealed this privilege escalation vulnerability which, if exploited, enables a threat actor to complete control of a Windows machine. In other words, a threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization.

Interestingly, the exploit requires modifying only a single bit of the Windows operating system.

We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview.

The rest of write-up is both long and complex, dealing with Windows scrollbars but sadly leaving me somewhat confused; however, the subreddit NetSec kindly provided a tidy summary for tl;dr folks.

Breaking Malware included a proof-of-concept video, that doesn’t actually release any sensitive code, but shows the privilege escalation exploitation on a machine running 64-bit Windows 10 Technical Preview.

Yavo added a “funny” about a piece of code for which the condition can never be met.

“This practically means that this dead-code was there for about 15-years doing absolutely nothing.” That was followed by a Spock button GIF comment that I rather enjoyed.

Other Patch Tuesday tidbits

Krebs on Security highlighted one of more interesting critical patches, MS15-011. Brian Krebs wrote:

Among the more interesting critical patches is a fix for a vulnerability in Microsoft Group Policy that could present unique threats for enterprises that rely on Active Directory, the default authentication mechanism on corporate Windows networks. The vulnerability is remotely exploitable and can be used to grant attackers administrator-level privileges on the targeted machine or device - that means 10s of millions of PCS, kiosks and other devices, if left untreated.

The IEBlog reported that the critical security update MS15-009 resolved one publicly reported and 40 privately reported vulnerabilities in Internet Explorer. Wolfgang Kandek, CTO of Qualys, called it the most important bulletin, followed by MS15-012, which Microsoft only rated as “Important.”

The IEBlog post included a reminder that the “April 14, 2015 Internet Explorer update, we plan to disable SSL 3.0 by default in Internet Explorer 11.” Does this mean more work for you? That depends as you can test your server to see it will be impacted by “disabling SSL 3.0 in your browser.” Then you can “see which sites use a connection over SSL 3.0 and need to be updated. We encourage users to use the workarounds and easy, one-click Fix it provided in Security Advisory 3009008 to disable SSL 3.0 in your browser.”

Another interesting Patch Tuesday tidbit comes from Michal Zalewski about MS15-016 and finding TIFF image bugs with his American Fuzzy Lop (afl) program (fuzzing tool). His proof-of-concept is here, but Zalewski was impressed with Microsoft’s speed to patch.

“Microsoft has addressed it in precisely 60 days, counting from my initial email to the availability of a patch!” He added, “The average patch time always seemed to be closer to 6+ months – coupled with what the somewhat odd practice of withholding attribution in security bulletins and with seemingly punitive PR outreach if the reporter ever went public before that.”

Now if only Microsoft could keep fixing flaws fast without botching it along the line.