Security Advisor
'Critical' Windows Hole Gets Out-of-Band Patch
Microsoft released a crypto fix that has been seen to be in limited exploit against Windows Server.
Microsoft released an out-of-band security patch for all supported version of Windows OS and Windows Server today. While all versions of Windows will be receiving a fix, only Windows Server versions are vulnerable to attack.
Originally scheduled for last week's Patch Tuesday release, bulletin MS14-068 was delayed until this morning. The fix addresses a privately reported issue in Microsoft Windows Kerberos key distribution center (KDC) -- a protocol used to authenticate users on an unsecured network. According to the bulletin release, if ignored by network admins, the flaw could lead to an elevation of privilege for unauthorized users.
Going into more detail on the flaw, Craig Young, security researcher at Tripwire, said the problem stems from the Kerberos KDC experiencing a crypto failure.
"The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged," said Young in an e-mailed statement. "The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain. Windows servers in affected environments should be patched at once to prevent exploitation."
According to Microsoft, the patching priority is as follows:
- Domain controllers running Windows Server 2008 R2 and below
- Domain controllers running Windows Server 2012 and higher
- All other systems running any version of Windows
Windows Server 2008 R2 and Windows Server 2003 are the top priorities today due to the limited attacks already seen in the wild targeting that version. While later versions are also vulnerable, Microsoft said that getting a working exploit will be much more difficult.
The company said the only way to fix domains that have already been breached by the attacker is to tear it down and start from scratch. "The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," wrote Joe Bialek, an engineer with Microsoft Security Response Center. "An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed."