Emergency update from Microsoft: Out-of-cycle security for devastating Kerberos bug
Microsoft has just added one of two missing security updates that were part of the 14 critical patches released last week. Updates MS14-068 and MS14-075 were supposed to be released last Tuesday, but for some reason, possibly due to a fault in the patch, the two patches were held back.
MS14-068 will address CVE-2014-6324, a Windows Kerberos privilege vulnerability which, if implemented, could give remote administrative privileges on a domain controller and allow an attacker to make any number of changes to the system by impersonating the domain administrator. This could mean that an attacker could install programs on your system, view, make changes to and delete data, and create new accounts.
The Redmond company says the patch is “critical” for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, while for supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. a defense-in-depth update is available.
Microsoft explained in a summary concerning the update that “the vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged…When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.”
The affected component, Microsoft noted, is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. If a domain server is compromised any machine connected to the server could possibly come under attack. With no totally effective workaround or mitigation available, the consequence of an attack could mean that an organization, at worst, would have to completely rebuild its domain.
In view of this, and Microsoft releasing an out-of-band patch, users should probably take heed of the critical warning and update now.
photo credit: jasleen_kaur via photopin cc
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
