Here are answers to frequently asked questions about the JASBUG security vulnerability, which was discovered by our firm and was announced by Microsoft on 10 February 2015.
What is this all about?
The Internet Corporation for Assigned Names and Numbers (ICANN
) engaged JAS Global Advisors LLC (JAS
) and simMachines
to research potential technical issues relating to the rollout of new Generic Top Level Domains (New gTLDs) on the Internet. Background is available here
During the course of the research, JAS and simMachines uncovered a vulnerability not directly related to ICANN’s New gTLD Program nor to new TLDs in general. Once the seriousness of the vulnerability was understood, JAS notified the affected vendor and withheld additional disclosure until the vendor addressed the vulnerability. This response was consistent with ICANN’s Coordinated Vulnerability Disclosure Reporting Process
and industry best practices.
The affected vendor, Microsoft, released updated documentation and technical patches as a part of their regular “Patch Tuesday” release on 10 February 2015. Information from Microsoft relating to this issue is available here: https://technet.microsoft.com/library/security/MS15-008
Since every bug needs a name, this one has been deemed “JASBUG.”
What is the scope of the vulnerability?
Microsoft has classified this vulnerability “Critical
” as “…exploitation could allow code execution without user interaction.”
This is the most serious rating in Microsoft’s classification taxonomy.
The vulnerability impacts core components of the Microsoft Windows Operating System. All computers and devices that are members of a corporate Active Directory may be at risk. The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.
How was the vulnerability discovered?
The vulnerability was discovered by applying “big data” analytical techniques to very large (and relatively obscure) technical datasets. The analysis revealed unusual patterns in the datasets and focused additional expert inspection. The combination of sophisticated data analytics by simMachines and JAS’ technical security expertise revealed a fundamental design flaw that has remained elusive for at least a decade.
When was it first reported to Microsoft?
The vulnerability was first reported to Microsoft in January 2014. Microsoft immediately understood the seriousness of the vulnerability and began formulating its response.
Why did it take so long to fix?
The circumstances around this vulnerability are unusual — if not unprecedented — necessitating the very long remediation cycle.
Unlike recent high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail, and POODLE, this is a design problem not an implementation problem. The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed.
Additionally, given the nature of the vulnerability, few stopgap mitigation techniques are available. Thus, it was critical to maintain confidentiality such that Microsoft had the time to “fix it right” as opposed to being forced to “fix it fast.” Rushed interim fixes are risky, unreliable, and potentially ineffective.
This is an instance of responsible vulnerability disclosure at its finest. Because of the combined efforts of JAS, simMachines, ICANN, and Microsoft, the Internet is a safer place.
What should IT professionals do?
IT professionals administering Microsoft environments should immediately review the Microsoft documentation available at https://technet.microsoft.com/library/security/MS15-008
. As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.
When will the Phase Two JAS Name Collisions study be released?
As a result of the vulnerability, the JAS Name Collisions study was split into a Phase One and Phase Two report. Phase One
was released in June 2014. JAS and ICANN will work with Microsoft to determine the timeline for release of the Phase Two report.