August 15, 2016 By Douglas Bonderud 2 min read

It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

Critical Microsoft Patches Tackle the Butler

According PC World, Microsoft recently rolled out its latest slew of security patches, which collectively address 27 vulnerabilities in Windows, Office, Explorer and the Edge browser. Five are considered critical: MS16-095, MS16-096, MS16-099, MS16-097 and MS16-102, all of which could allow remote code execution. The first three tackle issues with webpages or Office documents, while 097 solves problems with the Windows Graphics Component and 102 targets a flaw in the Windows PDF library.

Not mentioned as critical is MS16-101, which was first discovered in 2015 as CVE-2015-6095. Its original iteration allowed cybercriminals to bypass the requirement for Windows login authentication by using a rogue domain controller (DC) with the same domain name as the intended victim’s PC.

Next, attackers had to create a user account matching the victim’s and set the password to expire, then connect the rogue DC and change the soon-to-be-expired password so it was added to the cache of locally approved credentials. Microsoft released a patch, but security researchers found it to be incomplete. Another fix, CVE-2016-0049, was released in February 2016.

Microsoft experts Chaim Hoch and Tal Be’ery, however, discovered a way to convert the Evil Maid attack — which required physical access to the target computer — into a remote malicious butler exploit. In the new version, attackers were able to compromise one machine on a network and then use other reconnaissance tools to find PCs with open remote desktop protocol (RDP) ports.

Even with two Microsoft patches, the flaw was still functional. Hopefully, MS16-101 is the pink slip for this bad butler.

Of Boots and Butlers

Cybercriminals haven’t gone easy on Microsoft this year, but the company hasn’t done itself any favors either. Consider the recent Secure Boot problem: According to ZDNet, while Secure Boot protects users from accidentally damaging their systems with new operating systems or risky third-party apps, developers and researchers occasionally need to disable this security measure to test and tweak their OS.

The problem: Microsoft has a number of golden keys, which let any admin user unlock Secure Boot devices — keys that were recently leaked online. A patch in July didn’t fix the issue, but August’s Microsoft patches should do the trick.

Ultimately, butler and boot problems ring two warning bells. First, there’s no aspect of any large software offering that is completely secure. Attacks can come from any direction at any time.

Second, patches aren’t a foolproof cure. The more typical scenario seems to be quiet denial of any critical flaw followed by proof-of-concept, recognition and at least two rounds of patches to guarantee system safety.

Simply put: Software security is always on the way — just don’t expect speedy service.

More from

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today