August 15, 2016 By Douglas Bonderud 2 min read

It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

Critical Microsoft Patches Tackle the Butler

According PC World, Microsoft recently rolled out its latest slew of security patches, which collectively address 27 vulnerabilities in Windows, Office, Explorer and the Edge browser. Five are considered critical: MS16-095, MS16-096, MS16-099, MS16-097 and MS16-102, all of which could allow remote code execution. The first three tackle issues with webpages or Office documents, while 097 solves problems with the Windows Graphics Component and 102 targets a flaw in the Windows PDF library.

Not mentioned as critical is MS16-101, which was first discovered in 2015 as CVE-2015-6095. Its original iteration allowed cybercriminals to bypass the requirement for Windows login authentication by using a rogue domain controller (DC) with the same domain name as the intended victim’s PC.

Next, attackers had to create a user account matching the victim’s and set the password to expire, then connect the rogue DC and change the soon-to-be-expired password so it was added to the cache of locally approved credentials. Microsoft released a patch, but security researchers found it to be incomplete. Another fix, CVE-2016-0049, was released in February 2016.

Microsoft experts Chaim Hoch and Tal Be’ery, however, discovered a way to convert the Evil Maid attack — which required physical access to the target computer — into a remote malicious butler exploit. In the new version, attackers were able to compromise one machine on a network and then use other reconnaissance tools to find PCs with open remote desktop protocol (RDP) ports.

Even with two Microsoft patches, the flaw was still functional. Hopefully, MS16-101 is the pink slip for this bad butler.

Of Boots and Butlers

Cybercriminals haven’t gone easy on Microsoft this year, but the company hasn’t done itself any favors either. Consider the recent Secure Boot problem: According to ZDNet, while Secure Boot protects users from accidentally damaging their systems with new operating systems or risky third-party apps, developers and researchers occasionally need to disable this security measure to test and tweak their OS.

The problem: Microsoft has a number of golden keys, which let any admin user unlock Secure Boot devices — keys that were recently leaked online. A patch in July didn’t fix the issue, but August’s Microsoft patches should do the trick.

Ultimately, butler and boot problems ring two warning bells. First, there’s no aspect of any large software offering that is completely secure. Attacks can come from any direction at any time.

Second, patches aren’t a foolproof cure. The more typical scenario seems to be quiet denial of any critical flaw followed by proof-of-concept, recognition and at least two rounds of patches to guarantee system safety.

Simply put: Software security is always on the way — just don’t expect speedy service.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today