Microsoft has moved to patch-up a critical vulnerability in Windows that it worked to repair for over a year after it was first reported.
Two separate patches (MS15-011 and MS15-014) were released in tandem that, when employed together, plug a gap in group policies and limit the threat of a third-party code execution that could allow hackers to take "complete control of an affected system."
MS15-011, the more critical of the two patches, prevents that control taking place and Microsoft warned that if not installed could "allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network."
One of the typical ways it was able to be used was through an on-LAN or man-in-the-middle attack where corporate data on Windows machines was vulnerable when connected to a non-trusted network without the use of a virtual private network (VPN).
Windows Server 2003 gets no patch
JAS Global Advisors brought the problem to Microsoft's attention in January 2014 and kept it quiet so that Microsoft could work on a solution to fix what is called "complicated issue" by JAS, and it was sympathetic to the length of time it took.
The vulnerability covers Windows Vista; Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2, Windows 7, 8 and 8.1; and Windows RT and RT 8.1. Of all those, Windows Server 2003 is the only one that won't be receiving a patch and anyone using it is advised to upgrade.
Via: The Inquirer
- Check out best free antivirus software 2015 list to protect your Windows PC.