JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
The vulnerability allows hackers to remotely take control of Windows devices that connect to an Active Directory domain.
JASBUG is registered in the Common Vulnerabilities and Exposures system as CVE-2015-0008. The Industrial Control Systems Cyber Emergency Response Team, part of the Department of Homeland Security, issued ICS-ALERT-15-041-01, warning control systems owners that they should expedite applying critical JASBUG fixes.
Microsoft released two patches, MS15-011 and MS15-014, to address JASBUG on the same day the vulnerability was disclosed. These fixes took Microsoft over a year to develop and deploy due to the complexity of the JASBUG vulnerability.
At the time of disclosure, more than 300 million computers were believed to be vulnerable to the exploit.
JASBUG was disclosed to the public by Microsoft as a part of "Patch Tuesday," on February 10th, 2015.
The vulnerability was initially reported to Microsoft in January 2014 by Jeff Schmidt, founder of JAS Global Advisors. After Microsoft publicly announced the security vulnerability, it garnered the name JASBUG in reference to the role JAS Global Advisors played in discovering the exploit.
In 2014, JAS Global Advisors was working on an engagement with the Internet Corporation for Assigned Names and Numbers (ICANN), the organization governing the standards of the Internet, to research potential technical issues surrounding the rollout of new Generic Top Level Domains (gTLDs) on the Internet.
While working on the research, JAS Global Advisors, with business partner SimMachines, uncovered the vulnerability by applying "big data" analytical techniques to very large technical data sets.
JASBUG principally affects business and government users. Home users are less likely to be affected by JASBUG because they do not use domain-configured computers.
White House cybersecurity advisor Michael Daniel spoke about the importance of addressing JASBUG in a meeting of the Information Security and Privacy Advisory Board of the National Institute for Standards and Technology, and the Office of Management and Budget and the Department of Homeland Security immediately took steps to fix the vulnerability on federal networks.
Suzanne E. Spaulding, serving as Under Secretary for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, mentioned JASBUG in a February 2015 House of Representatives hearing that touched on the potential effect of a DHS funding hiatus.
In the aftermath of JASBUG, various government agencies have updated their technical specifications to mitigate exploit risks. For example, the United States Department of Veteran Affairs decided in May 2015 to "unapprove" the use of Windows Server 2003 based on JASBUG risks.
According to Microsoft, the exploit takes advantage of how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. One likely exploitation of the flaw involves deceiving a user with a domain-configured system into a network controlled by a hacker.
Despite the potential effect, there is no indication that the JASBUG vulnerability was ever used by cyberhackers to access corporate or government computers.
JASBUG affects Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1. Windows Server 2003 is also affected, but there will not be a JASBUG patch this platform, as Microsoft has indicated that it is not feasible to build a fix for this version.  JASBUG also affects Windows XP and Windows 2000, but no patch will be made available for these operating systems as they are no longer supported by Microsoft.
Unlike other high-profile vulnerabilities like Heartbleed, Shellshock, Gotofail and POODLE, JASBUG was a design problem, not an implementation problem, making this type of vulnerability unusual and much more difficult to fix. The fix required Microsoft to re-engineer core components of the operating system and to add several new features, including additional hardening of Group Policy, the feature that organizations use to centrally manage Windows systems, applications, and user settings in Active Directory environments.
Microsoft was not able to fix the JASBUG flaw on Windows Server 2003 systems, noting that "The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003."
For unpatched and unpatchable platforms that may be vulnerable to JASBUG, security firms like Symantec recommend that organizations use intrusion prevention systems (IPS) to monitor network activity for possible malicious JASBUG traffic.
If any hackers knew about this since the year 2000, they could have used it to sneak into company computer systems and take complete control.
In a security bulletin, MS15-011, the tech giant revealed that the critical vulnerability affects all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
Today, Microsoft has issued a critical patch to every supported version of Windows that resolves a bug that may have been open for as long as fifteen years could allow attackers to remotely take control of Windows devices that connect to an Active Directory domain.
The bug (CVE-2015-0008) was discovered over a year ago when global DNS overlord ICANN hired JAS to check out the security of its systems for creating new generic top-level domains.
Control systems that are members of a corporate Active Directory may be at risk. ICS-CERT is monitoring this vulnerability and will provide additional information related to control systems as it becomes available.
In order to remedy the flaw, Microsoft was forced to re-engineer core components of Windows, to add several new features. This meant extensive testing to ensure backwards compatibility, supported configurations, and new documentation to describe the changes was required, a process that took Microsoft over a year.
Outside of the Fortune 500, we estimate that another 300 million computers could be affected by the JASBUG security threat.
Microsoft released technical patches [for JASBUG] as a part of its "Patch Tuesday" release on 10 February 2015.
...the Redmond tech titan learned about the problem back in January 2014.
Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.
Das Sicherheitsleck wurde nach einer der Firmen benannt, die es Microsoft gemeldet haben. Weil das Unternehmen JAS Global Advisors heißt, heißt die Lücke Jasbug.
Jasbug vulnerability do [sic] not affects home users because they are not usually domain-configured
That has an impact on our ability to quickly address--identify and address vulnerabilities like the JASBUG vulnerability that has been most recently in the media.
Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and should only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process.
...there is no indication that it had been publicly used to attack customers.
Patch now, unless you run 2003, in which case you're out of luck.
Les versions Windows 2000 et XP n’étant plus supportées par Microsoft, il n’existe pas de correctifs.
In a rare move, Microsoft had to re-engineer some core components of the Windows operating system in order to mitigate a critical design vulnerability that could allow attackers to gain administrator-level privileges on tens-of-millions of devices.