Subscribe

Microsoft rushes to fix botched patch

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 12 Jan 2017
The Microsoft vulnerability was reported as remote denial-of-service.
The Microsoft vulnerability was reported as remote denial-of-service.

Software giant Microsoft has moved to replace a botched patch which allowed an attacker to crash the Windows Local Security Authority Subsystem Service (LSASS).

LSASS is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

Last week, US-based computer and network security company, Core Security, issued an embargoed press release about the vulnerability. However, before the embargo was lifted, Microsoft asked the security company to hold the posting as it moved to replace the patch.

The vulnerability affected all Windows versions, either 32- or 64-bits, and was reported and later described in more detail by security researcher, Laurent Gaffi'e, the same day that the initial fix was published. He also published proof-of-concept code triggering the vulnerability.

Nicolas Economou, exploit writer specialist at Core Security, explains that this vulnerability was reported as remote denial-of-service, where the crash is produced via a NULL-Pointer dereference - a sub type of an error causing a segmentation fault. Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.

When the LSASS service crashes, the target is automatically restarted after 60 seconds, which is not very nice when it's a production server, says Economou.

"I realised that the fix wasn't working when I tried to understand why the public proof-of-concept wasn't working against Windows 10. It's surprising to see that nobody else noticed that and that a considerable amount of Windows users have been unprotected for more than two months since the public exploit was released," he notes.

"As of 10 January, Microsoft decided to release a new security bulletin including a patch for the affected systems (MS17-004). Basically, the same 64KB packet size check used by Windows 8.1 and Windows 10 was added to the rest of the Windows versions."

In acknowledgement of the vulnerability after the patch, Microsoft says: "A denial-of-service vulnerability exists in the way the Local Security Authority Subsystem Service handles authentication requests.

"An attacker who successfully exploited the vulnerability could cause a denial-of-service on the target system's LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests."

Share