Most organizations understand the importance of timely implementing software updates and patches. However, open platforms have permitted a level of customization such that a patch in one application may have unintended consequences in other parts of the overall system architecture, including customization of the software being updated. A good example is the recent Microsoft security patch released in June that resulted in problems with many users’ Group Policy objects (“GPOs”). While Microsoft issued guidance on July 5 as to how to repair the Group Policy problems caused by the patch, the experience is an example of unintended consequences that can arise during routine product security updates.
Group Policy is Microsoft’s tool for managing user and computer settings on certain networks. In other words, Group Policy determines which users and devices get access to the sensitive data of the company (and the applications), or have the authority to make changes to the system (the “keys to the kingdom”). Microsoft reportedly was beset with a bevy of complaints from users reporting network and user access issues caused by the patch.
The patch, released on June 14, resolved a vulnerability that could allow elevation of privilege in the event of a “man-in-the-middle” (“MiTM”) attack against traffic passing between a domain controller and a target machine. Generally speaking, a MiTM attack is an attack on authentication protocol in which the attacker positions itself between two parties so as to intercept (and possibly alter) the data traveling between them. According to Microsoft, if a MiTM attack were underway, an attacker could create a group policy to grant administrator rights to a standard user.
Microsoft’s June patch addressed the vulnerability by enforcing Kerberos authentication for certain calls over Lightweight Directory Access Protocol (“LDAP”), but it had the additional effect of breaking many users’ Group Policy Objects. In other words, the patch limited an exploit of an outside hacker, but in doing so potentially gave internal users, qualified only for limited permissions, unfettered access to system controls. In simplified terms, where a user normally would have only “read” rights, taking down the GPO could grant that user read, write, and edit rights.
While the debate initially involved whether the unintended consequence of the patch was the fault of Microsoft or the users, in the event of a breach, the debate makes little difference to the affected company. Careful and thoughtful consideration is required to balance the complexities of an information security program. Understanding the implications of an update and patch policy (which to most may seem simple), is just the beginning.