Microsoft Releases Emergency Windows Server Security Fix

Microsoft has released an emergency patch for all versions of Windows Server after discovering some limited exploitation of a Kerberos vulnerability in the wild.

MS14-068 was withheld from the company’s regular Patch Tuesday updates earlier this month due to some last minute testing requirements, but Microsoft has decided to release the fix out of schedule after deciding it couldn’t wait until next month.

The vulnerability concerns the Windows Kerberos Key Distribution Center (KDC) and allows for the remote elevation of privilege in domains running Windows domain controllers. This means a malicious attacker with the credentials of any domain would be able to grant themselves administrator privileges.

Microsoft security

Microsoft says the exploitations it has witnessed in the wild affect Windows Server 2008 R2 and below, but says it has not seen any targeting Windows Server 2012 and Windows Server 2012 R2, although this is possible.

There are no workarounds and Microsoft says the only mitigating factor is that an attacker would need credentials in the first place, although experts say this is of little consolation.

“Microsoft only release out of band patches for very serious issues and MS14-068 is no exception,” explains Ben Campbell, senior security consultant at MWR InfoSecurity. “With this bug an attacker could take full control of a Windows Domain from the lowest privileged user. A malicious employee, contractor, weak password, or a single successful phishing attack could lead to a full compromise from which an organisation may struggle to recover.

“Microsoft’s own advice is that the only sure way to clean your systems once this level of compromise occurs is with a full domain rebuild, which would have extreme repercussions on any Windows-reliant organisation.

“Some guidance has been released to identify attacks, but Microsoft acknowledges that attackers would be able to hide their presence by improving their exploits to cover their tracks. This raises interesting questions such as how long have advanced attackers been using this technique without detection, and what were the attackers after that convinced them to use such a valuable zero-day attack?”

The update is also available for desktop versions of Windows even though it doesn’t affect them.

This month’s Patch Tuesday was a significant one featuring 16 security bulletins, including one fixing a vulnerability that is 19 years old.

Are you a security expert? Try our quiz!