August 15, 2016 By Douglas Bonderud 2 min read

It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

Critical Microsoft Patches Tackle the Butler

According PC World, Microsoft recently rolled out its latest slew of security patches, which collectively address 27 vulnerabilities in Windows, Office, Explorer and the Edge browser. Five are considered critical: MS16-095, MS16-096, MS16-099, MS16-097 and MS16-102, all of which could allow remote code execution. The first three tackle issues with webpages or Office documents, while 097 solves problems with the Windows Graphics Component and 102 targets a flaw in the Windows PDF library.

Not mentioned as critical is MS16-101, which was first discovered in 2015 as CVE-2015-6095. Its original iteration allowed cybercriminals to bypass the requirement for Windows login authentication by using a rogue domain controller (DC) with the same domain name as the intended victim’s PC.

Next, attackers had to create a user account matching the victim’s and set the password to expire, then connect the rogue DC and change the soon-to-be-expired password so it was added to the cache of locally approved credentials. Microsoft released a patch, but security researchers found it to be incomplete. Another fix, CVE-2016-0049, was released in February 2016.

Microsoft experts Chaim Hoch and Tal Be’ery, however, discovered a way to convert the Evil Maid attack — which required physical access to the target computer — into a remote malicious butler exploit. In the new version, attackers were able to compromise one machine on a network and then use other reconnaissance tools to find PCs with open remote desktop protocol (RDP) ports.

Even with two Microsoft patches, the flaw was still functional. Hopefully, MS16-101 is the pink slip for this bad butler.

Of Boots and Butlers

Cybercriminals haven’t gone easy on Microsoft this year, but the company hasn’t done itself any favors either. Consider the recent Secure Boot problem: According to ZDNet, while Secure Boot protects users from accidentally damaging their systems with new operating systems or risky third-party apps, developers and researchers occasionally need to disable this security measure to test and tweak their OS.

The problem: Microsoft has a number of golden keys, which let any admin user unlock Secure Boot devices — keys that were recently leaked online. A patch in July didn’t fix the issue, but August’s Microsoft patches should do the trick.

Ultimately, butler and boot problems ring two warning bells. First, there’s no aspect of any large software offering that is completely secure. Attacks can come from any direction at any time.

Second, patches aren’t a foolproof cure. The more typical scenario seems to be quiet denial of any critical flaw followed by proof-of-concept, recognition and at least two rounds of patches to guarantee system safety.

Simply put: Software security is always on the way — just don’t expect speedy service.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today