Just in case it’s been, say five minutes, since you last worried about system vulnerabilities, here is one to ponder. Remember earlier this year when Google found the issue in Windows 8.1 and gave Microsoft 90 days to address it before Google took it public? Microsoft didn’t. Google did. The Google Security Research forum post went live, informing the world that there was a security vulnerability in Windows 8.1. It is unclear if this vulnerability exists in any previous versions of Windows.
That post set off a torrent of debate, some supporting Google for helping everyone keep their systems safe, and others criticizing Google for broadcasting a vulnerability that could be exploited. Whether Google’s actions were motivated by responsible reporting or spiteful competition, the cat was out of the bag.
The bug they described allows users in some cases to boost their access level to administrator. However, the bug does not allow a non-user to access systems as a user. The real danger is in an employee using the bug to boost their access level and gain access to something they shouldn’t, or in a non-user hacking a user’s account and then bumping their access level up to do some data stealing or malware laying. So, what does your IT service desk need to know about this bug (affectionately referred to by the Googlers as Issue 118)?
How Serious is This Vulnerability?
In the grand scheme of it all, the bug really isn’t that big a deal. It’s a garden variety vulnerability that Windows (and many other platforms, for that matter) are fraught with these days. It’s not nearly as terrifying as some of the known vulnerabilities in Apple’s iOS. However, every vulnerability needs to be addressed, so here’s how your team can take control of Issue 118, which Microsoft dubbed MS14-075.
How to Make Sure the Vulnerability Isn’t Exploited in Your Systems
Your first step is to review your asset management system and make sure that users who have quit or been fired have been successfully deleted from the system. Next, keep an ongoing tab on suspicious logins. Security steps should include:
- Update antivirus software immediately and regularly
- Install security updates immediately and regularly
- Make sure firewalls are fully activated
Suspicious login activity to monitor includes:
- Logins from multiple locations with a single user name
- Any unusual number of logins from any user
- The same user logging in from multiple locations, especially if these locations are geographically separated
- Logins from strange places where it’s unlikely one of your folks is doing business
- Unusual activity in the database
- Unusual numbers of requests for a single file
- Unusual numbers of file queries in general
- An unusual influx of known or suspected malware
- Unusual queries for files reserved for users with high access levels
Microsoft officials stressed that a security patch is on the way, though they did not provide a timeline in which to expect it. In the meantime, this information will help you stay on top of Issue 118/MS14-075.