All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
NCCIC/ICS-CERT is issuing this alert to provide notice of a Microsoft Windows critical security update described in Microsoft’s Security Bulletin MS15-011a. This serious vulnerability impacts control system owners using a domain-configured system. Exploitation of this vulnerability could allow a remote attacker to take complete control of an affected Windows system.
This security update is rated Critical for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information, see the Affected Software section of the Microsoft security bulletin.
It is important to note that to be protected from the vulnerability described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update. For more information about this update, see Microsoft Knowledge Base Article 3000483b.
Be aware that updates are not available for Windows XP, Windows Server 2003, or Windows 2000.
ICS-CERT urges control systems owners to expedite the careful application of this critical update. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
|Vulnerability Type||Remotely Exploitable||Impact|
|Remote Code Execution||Yes||An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.|
Control systems that are members of a corporate Active Directory may be at risk. ICS-CERT is monitoring this vulnerability and will provide additional information related to control systems as it becomes available.
This vulnerability impacts core components of the Microsoft Windows Operating System. All computers and devices that are members of a corporate Active Directory may be at risk. The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines and Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network [VPN]) are at heightened risk.
The Microsoft security update contains a new policy feature (UNC Hardened Access) that is not enabled by default. To enable this feature, a system administrator must deploy the update and then apply the Group Policy settings described in the bulletin. For complete protection against this vulnerability, system reboots are required. More information on the impact of the vulnerability can be found on Microsoft’s blog at:
Microsoft attributes discovery of the vulnerability to Jeff Schmidt of JAS Global Advisors, Dr. Arnoldo Muller-Molina of simMachines, The Internet Corporation for Assigned Names and Numbers (ICANN), and Luke Jennings from MWR Labs. JAS Global Advisors has produced their own advisory located at:
There are no known workarounds or mitigations for this vulnerability. Updates are not available for End of Life products (Windows XP, Windows Server 2003, and Windows 2000).
ICS-CERT strongly recommends that administrators prioritize the review of the Security Bulletin, test the necessary configuration changes discussed in the associated Knowledge Base article (KB3000483), and apply the patch.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should do the following:
- Review Microsoft Security Bulletin MS15-011
- Apply the update from Microsoft
- Restart systems and apply configuration changes as described in the KB Article KB3000483
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internetc
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site (http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. Microsoft Security Bulletin MS15-011 – Critical, https://technet.microsoft.com/library/security/MS15-011 web site last accessed February 10, 2015.
- b. MS15-011: Vulnerability in Group Policy could allow remote code execution: February 10, 2015, https://support.microsoft.com/kb/3000483, web site last accessed February 10, 2015.
- c. ICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01, web site last accessed February 10, 2015.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.