News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Yes, you do need to patch sooner or later

    Posted on September 15th, 2020 at 08:06 woody Comment on the AskWoody Lounge

    You know how I say that there’s no reason to patch as soon as the patches come out — but you need to patch sooner or later?

    Those of you running Windows Server as a domain controller just showed the rest of us how important that “sooner or later” can be.

    Microsoft patched CVE-2020-1472 last month. The security hole was (and still is) described as “2 – Exploitation Less Likely,” thus not of immediate concern. It wasn’t publicly disclosed or exploited at the time (it wasn’t a zero-day). If you followed along with the MS-DEFCON system (which, admittedly, isn’t designed for admins with Windows Server domain controllers) you would’ve installed the patch late last month or early this month.

    Good for you.

    Yesterday,the Dutch security company Secura B.V. released a full report of the security hole – and it’s a doozy. Catalin Cimpanu at ZDNet has a thorough description:

    According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.

    This bug allows an attacker to manipulate Netlogon authentication procedures and:

    • impersonate the identity of any computer on a network when trying to authenticate against the domain controller
    • disable security features in the Netlogon authentication process
    • change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)

    There are limitations to how a Zerologon attack can be used. For starters, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network.

    However, when this condition is met, it’s literally game over for the attacked company.

    It’s a bad one. But you got your Server patched a couple of weeks ago, yes?

    It’s rare to have a security hole erupt this quickly – although it does happen. We still haven’t seen widespread attacks. But it’s only a matter of time.