Software Engineering Institute

Microsoft has released MS15-011, detailing a critical flaw in which Windows domain-configured client Group Policy fails to authenticate servers over Universal Naming Convention (UNC) paths. Upon connecting to a network, Group Policy runs logon scripts to receive and apply policy data from a domain controller. By joining an attacker-controlled network, the vulnerable system will execute attacker-provided scripts since the server is not required to authenticate itself. Because of the way that the Multiple UNC Provider (MUP) iterates through UNC providers to establish a connection to the domain controller, the vulnerability may be remotely exploitable when a UNC path is resolved over the Internet.

For more detailed information, visit Microsoft's blog about hardening Group Policy and JAS's JASBUG Fact Sheet.

A remote, unauthenticated attacker may execute arbitrary code and completely compromise vulnerable systems.

Apply an update and configure Group Policy settings

In addition to applying an update, administrators need to configure additional Group Policy settings in order to protect against the vulnerability.

Note that in addition to the unsupported Windows XP and 2000, Windows Server 2003 will not be receiving an update to address this vulnerability despite being a supported operating system. Furthermore, Microsoft has not identified any workarounds or mitigations, recommending that security-conscious users upgrade their operating systems.