Microsoft patches Kerberos vulnerability

On Patch Tuesday last week, Microsoft released the usual collection of updates to Windows and Office to fix day-to-day vulnerabilities.

This week brings a bonus patch for all versions of Windows on servers and workstations. Microsoft only issues an “out-of-band” update, outside the normal Patch Tuesday schedule, when a potentially nasty threat is being exploited by the bad guys in the wild – and this is very nasty indeed.

Don’t panic! This doesn’t directly affect your computer. Microsoft released an update for Windows 7 and 8 only as a precaution. (Microsoft calls it “defense-in-depth.”) It’s important for servers to be patched but there’s no urgency for Windows 7 and 8 computers. If you’re a subscriber to Bruceb Remote Management (and you should be), it will be installed as part of your ongoing maintenance. Everyone will get it eventually from the Automatic Update system.

Got that? You should be drinking coffee and feeling relaxed when you read the rest of this article. It’s the folks in charge of servers who are staying up late to install the patch lickety split.

The vulnerability and this week’s fix are described in Microsoft Security Bulletin MS14-068. Basically, if a bad guy has the login credentials for a plain old user on a Windows network, the bad guy might be able to elevate that account to have all of the privileges of a domain administrator. In the world of computing, a domain administrator is a god. When a bad guy has domain administrator privileges, the bad guy owns the network. A Microsoft engineer wrote this to explain the effect of this problem:

“The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately.”

This is the stuff of cyber-thrillers about the end of civilization when the bad guys infiltrate the utility companies and hospitals. The attack is only possible when certain conditions are met that are most likely to be true in large corporate and government networks, not small businesses, but it’s still necessary to patch all Windows servers sooner rather than later.

I’ll be installing the patch on my clients’ servers over the next week or two, along with any other updates that are necessary to bring things up to date. Be careful out there!

Share This