Microsoft has released an emergency patch for all versions of Windows Server after discovering some limited exploitation of a Kerberos vulnerability in the wild.
MS14-068 was withheld from the company’s regular Patch Tuesday updates earlier this month due to some last minute testing requirements, but Microsoft has decided to release the fix out of schedule after deciding it couldn’t wait until next month.
The vulnerability concerns the Windows Kerberos Key Distribution Center (KDC) and allows for the remote elevation of privilege in domains running Windows domain controllers. This means a malicious attacker with the credentials of any domain would be able to grant themselves administrator privileges.
There are no workarounds and Microsoft says the only mitigating factor is that an attacker would need credentials in the first place, although experts say this is of little consolation.
“Microsoft only release out of band patches for very serious issues and MS14-068 is no exception,” explains Ben Campbell, senior security consultant at MWR InfoSecurity. “With this bug an attacker could take full control of a Windows Domain from the lowest privileged user. A malicious employee, contractor, weak password, or a single successful phishing attack could lead to a full compromise from which an organisation may struggle to recover.
“Microsoft’s own advice is that the only sure way to clean your systems once this level of compromise occurs is with a full domain rebuild, which would have extreme repercussions on any Windows-reliant organisation.
“Some guidance has been released to identify attacks, but Microsoft acknowledges that attackers would be able to hide their presence by improving their exploits to cover their tracks. This raises interesting questions such as how long have advanced attackers been using this technique without detection, and what were the attackers after that convinced them to use such a valuable zero-day attack?”
The update is also available for desktop versions of Windows even though it doesn’t affect them.
This month’s Patch Tuesday was a significant one featuring 16 security bulletins, including one fixing a vulnerability that is 19 years old.
Are you a security expert? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…