UPDATED 10:14 EDT / NOVEMBER 19 2014

Emergency update from Microsoft: Out-of-cycle security for devastating Kerberos bug

securityMicrosoft has just added one of two missing security updates that were part of the 14 critical patches released last week. Updates MS14-068 and MS14-075 were supposed to be released last Tuesday, but for some reason, possibly due to a fault in the patch, the two patches were held back.

MS14-068 will address CVE-2014-6324, a Windows Kerberos privilege vulnerability which, if implemented, could give remote administrative privileges on a domain controller and allow an attacker to make any number of changes to the system by impersonating the domain administrator. This could mean that an attacker could install programs on your system, view, make changes to and delete data, and create new accounts.

The Redmond company says the patch is “critical” for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, while for supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. a defense-in-depth update is available.

Microsoft explained in a summary concerning the update that “the vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged…When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.”

The affected component, Microsoft noted, is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. If a domain server is compromised any machine connected to the server could possibly come under attack. With no totally effective workaround or mitigation available, the consequence of an attack could mean that an organization, at worst, would have to completely rebuild its domain.

In view of this, and Microsoft releasing an out-of-band patch, users should probably take heed of the critical warning and update now.

photo credit: jasleen_kaur via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.