Security Advisor

'Critical' Windows Hole Gets Out-of-Band Patch

Microsoft released a crypto fix that has been seen to be in limited exploit against Windows Server.

Microsoft released an out-of-band security patch for all supported version of Windows OS and Windows Server today. While all versions of Windows will be receiving a fix, only Windows Server versions are vulnerable to attack.                        

Originally scheduled for last week's Patch Tuesday release, bulletin MS14-068 was delayed until this morning. The fix addresses a privately reported issue in Microsoft Windows Kerberos key distribution center (KDC) -- a protocol used to authenticate users on an unsecured network. According to the bulletin release, if ignored by network admins, the flaw could lead to an elevation of privilege for unauthorized users.

Going into more detail on the flaw, Craig Young, security researcher at Tripwire, said the problem stems from the Kerberos KDC experiencing a crypto failure.

"The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged," said Young in an e-mailed statement.  "The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain. Windows servers in affected environments should be patched at once to prevent exploitation."

According to Microsoft, the patching priority is as follows:

  1. Domain controllers running Windows Server 2008 R2 and below
  2. Domain controllers running Windows Server 2012 and higher
  3. All other systems running any version of Windows

Windows Server 2008 R2 and Windows Server 2003 are the top priorities today due to the limited attacks already seen in the wild targeting that version. While later versions are also vulnerable, Microsoft said that getting a working exploit will be much more difficult.

The company said the only way to fix domains that have already been breached by the attacker is to tear it down and start from scratch. "The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," wrote Joe Bialek, an engineer with Microsoft Security Response Center. "An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed."

About the Author

Chris Paoli is the site producer for and


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.