In February as part of Patch Tuesday, Microsoft issued a series of critical fixes for significant flaws in the Windows Group Policy architecture that allowed an attacker to take complete control of a Windows domain using man-in-the-middle attacks. This particular flaw was accredited to Luke Jennings, an MWR InfoSecurity researcher.
While most bugs are often limited to specific applications like Microsoft Office or Internet Explorer, it is quite rare to find one in the Windows architecture itself, likely making it very difficult for Microsoft to engineer a resolution.
Group Policy is a key central management technology component of Microsoft Windows domain-based networks. Luke was able to demonstrate to Microsoft how an attacker with the ability to intercept network traffic can gain SYSTEM level code execution on any domain member within a Microsoft Windows domain in default configuration up to and including Windows 8.1/2012R2.
The process of exploiting this vulnerability generally requires local access to the network - this could be by a traditional network port, Wi-Fi access point etc. It requires the ability to intercept network traffic and is therefore relatively advanced in its implementation. It is not a client side attack akin to a web browser or desktop software vulnerability, and can't be leveraged through a phishing attack for example. However, when successful, the attacker will have complete control over every device on the Windows network.
Any network running Microsoft Group Policy is at risk. Outside of very small companies, the vast majority of businesses are likely to use group policy, it is standard practice for business networks Microsoft's dominant business market share means that a lot of businesses could be affected. This is unlikely to affect consumers as their devices aren't typically managed by Group Policy.
Now, six weeks on from the initial announcement, Luke has discovered that, while Microsoft has made some steps to prepare configurations to increase resiliency against these attacks, there are issues that have still gone unresolved, specifically some privilege escalation scenarios are not protected by the new security controls. Additionally, default configuration is vulnerable to all the attacks so only companies that have made the effort to configure the new controls will be protected.
Luke will present his original research today at SYSCAN as well as his most recent analysis of the new security features Microsoft has put in place in response to the discovery of the vulnerability, discussing the fixes Microsoft has introduced to show the security gaps that remain with regard to privilege escalation attacks.
The key points are:
1) XP/2003 remains vulnerable to these attacks as Microsoft decided not to release updates for them and currently have no intention of doing so
2) Vista onwards has new security features that can be configured to provide increased resiliency against these attacks.
3) Default configuration is vulnerable so you only gain this protection if you make the effort to harden your configuration in line with Microsoft's recommendations
4) When configured correctly, the new security controls provide great protection against the most serious forms of these attacks and represent a big step forward in this respect
5) Some specific privilege escalation scenarios (the less severe of the attacks) are not covered by these new security controls.