Microsoft fixes bugs in .NET framework that acquires or sets Active Directory information
Microsoft released an out-of-band update on Friday to fix bugs in the software maker’s .NET Framework that acquires or sets Active Directory (AD) forest trust information.
In a blog post, Microsoft said it made the update after realizing that once users installed updates released on January 11 or later, AD information could fail, shut down, or administrators system could receive an error from an application or from Windows. It was also possible to receive an access violation error (0xc0000005).
These out-of-band updates are not available from Windows Update and will not install automatically. Microsoft said security professionals interested in the standalone package should find the Knowledge Base (KB) number for their version of Windows and .NET Framework in the Microsoft Update Catalog. They can then manually import updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
Sometimes patches cause collateral damage, said John Bambenek, principal threat hunter at Netenrich. Bambenek said it’s often difficult to test all possible impacts of a patch, especially when it involves an API where custom code may be running and Microsoft may have very little visibility into how it is. used. “Releasing it as an out-of-band patch means that developers and IT admins will have to do whatever they can to find out the patch exists and deploy it,” Bambenek said.
Johnny Martinelli, director of cybersecurity training at GRIMM, said that while this bugfix update is only indirectly related to a more security-focused patch, the cybersecurity implications of Patch Tuesday recently buggy are real. Martinelli said cybersecurity experts who have been waging the battle between IT and cybersecurity long enough know one of many truths: System administrators prioritize availability over security.
“The regular release of patches (security or otherwise) that have not been thoroughly tested for stability, as we saw in January, will very quickly erode system administrators’ confidence in those patches, forcing them to wait for other companies have tried them in the field and reported any issues,” Martinelli said. The proof-of-concept exploit will be made public, but system administrators will choose not to patch due to fears of instability. This time of uncertainty can quickly become a playground of close at hand and exploitable fruit, and companies that are discovered to subscribe to this “n-1″ security patching practice may even find themselves labeled as easy targets. which are prioritized for an attack each month on Patch Tuesday.”
Tyler Shields, CMO at JupiterOne, said security professionals commonly refer to Active Directory as the “keys to the realm.”
“Targeting the system that holds account authorization and authentication data can result in a massive compromise of an organization,” Shields said. “It’s one of the most commonly deployed account management systems and it needs to be secure and up to date at all times.”