As part of Microsoft's mob of releases yesterday during the regularly scheduled Patch Tuesday, one specific update was released to address a vulnerability in the way Group Policy functions.
Per MS15-011, a remote code execution vulnerability exists in how Group Policy receives and applies connection data when a domain-joined system connects to a domain controller. A successful attacker could take complete control of an affected system, thereby gaining access to install programs, view, change, or delete data, or could create new accounts with full user rights. For companies, this can lead to a very serious security situation and the update needs to be installed right away.
However, we're learning now that just installing the security update is not enough. The update only provides the ability to harden Group Policy, not the actual protection against the vulnerability. Microsoft KB article 3000483 gives guidance on extra steps required to fully protect the environment against the vulnerability. The KB article states:
To enable this functionality, a system administrator must apply the following Group Policy settings in addition to installing security update 3000483.
The full article containing all the steps is here: KB3000483
So, just because you may have installed the security update successfully it's important to realize you're not quite done. I can't believe Microsoft hasn't emphasized this more.
This is a clear case where having advance notification would have better prepared customers. Microsoft, of course, decided to end public notifications recently, and instead only provides it to paying corporate customers, but only the day before updates are released.
P.S. This is also the specific vulnerability that Microsoft has stated it will NOT fix for Windows Server 2003, which reaches end of life on July 14, 2015. You can read all about it here: Patch Tuesday: Microsoft Will Not Patch a Flaw in Windows Server 2003 This Month – Or Ever
