Microsoft has announced that it will be releasing an out-of-band (OOB) update to address a privilege escalation bug in all versions of Windows.
The MS14-068 update will be released at around 10 a.m. PST today, November 18.
The MS14-068, along with MS14-075, were held back in Tuesday’s bulletin from Microsoft and listed as “release date to be determined,” which is a rare occurrence.
“Microsoft has released MS14-068 to describe a crypto failure within Microsoft’s Kerberos key distribution (KDC) center with the impact of allowing low-privileged domain users to gain administrative access to any computer in the domain, including the domain controller,” said Craig Young, Tripwire security researcher.
Young explained the problem stems from a failure to properly validate cryptographic signatures, which allows certain aspects of a Kerberos service ticket to be forged.
“The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain,” warned Young.
Tyler Reguly, manager of security research at Tripwire, adds it is odd to see Microsoft deviating from its normal OOB criteria. “You have to wonder about the extent of these attacks and the severity of the issue,” said Reguly.
As always, Windows servers in affected environments are recommended to be patched promptly to prevent exploitation. Additionally, Young advises administrators should also consider deploying the defense in-depth changes issued for Microsoft’s desktop platforms to limit exposure to other vulnerabilities, which may be lurking in the code.
Tripwire VERT will be releasing ASPL coverage for MS14-068 tomorrow, November 19, for Tripwire IP360 customers. Tripwire will also be releasing an out-of-band VERT Alert with more information when available.
Updated: 1:09 P.M. PST, November 18