It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

Critical Microsoft Patches Tackle the Butler

According PC World, Microsoft recently rolled out its latest slew of security patches, which collectively address 27 vulnerabilities in Windows, Office, Explorer and the Edge browser. Five are considered critical: MS16-095, MS16-096, MS16-099, MS16-097 and MS16-102, all of which could allow remote code execution. The first three tackle issues with webpages or Office documents, while 097 solves problems with the Windows Graphics Component and 102 targets a flaw in the Windows PDF library.

Not mentioned as critical is MS16-101, which was first discovered in 2015 as CVE-2015-6095. Its original iteration allowed cybercriminals to bypass the requirement for Windows login authentication by using a rogue domain controller (DC) with the same domain name as the intended victim’s PC.

Next, attackers had to create a user account matching the victim’s and set the password to expire, then connect the rogue DC and change the soon-to-be-expired password so it was added to the cache of locally approved credentials. Microsoft released a patch, but security researchers found it to be incomplete. Another fix, CVE-2016-0049, was released in February 2016.

Microsoft experts Chaim Hoch and Tal Be’ery, however, discovered a way to convert the Evil Maid attack — which required physical access to the target computer — into a remote malicious butler exploit. In the new version, attackers were able to compromise one machine on a network and then use other reconnaissance tools to find PCs with open remote desktop protocol (RDP) ports.

Even with two Microsoft patches, the flaw was still functional. Hopefully, MS16-101 is the pink slip for this bad butler.

Of Boots and Butlers

Cybercriminals haven’t gone easy on Microsoft this year, but the company hasn’t done itself any favors either. Consider the recent Secure Boot problem: According to ZDNet, while Secure Boot protects users from accidentally damaging their systems with new operating systems or risky third-party apps, developers and researchers occasionally need to disable this security measure to test and tweak their OS.

The problem: Microsoft has a number of golden keys, which let any admin user unlock Secure Boot devices — keys that were recently leaked online. A patch in July didn’t fix the issue, but August’s Microsoft patches should do the trick.

Ultimately, butler and boot problems ring two warning bells. First, there’s no aspect of any large software offering that is completely secure. Attacks can come from any direction at any time.

Second, patches aren’t a foolproof cure. The more typical scenario seems to be quiet denial of any critical flaw followed by proof-of-concept, recognition and at least two rounds of patches to guarantee system safety.

Simply put: Software security is always on the way — just don’t expect speedy service.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…