Security Bulletin MS14-068 covers a privilege escalation vulnerability in the Kerberos security subsystem, present in all currently supported versions of Windows. The flaw has been deemed Critical by Microsoft, the company's most serious of ratings - hence the out-of-band patch. Thankfully, it's a problem which is likely to only concern enterprise customers: while the Kerberos system is present in all versions of Windows, it is typically only used on servers installed within an Active Directory or similar network environment - thus only servers are likely to be at risk of active attack, and then only if the attacker already has valid credentials for the domain.Source: Bit Tech
'This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together,' explained Chris Goettle, product manager at security specialist Shavlik, of the patch. 'Our recommendation, include this in your Patch Cycle ASAP.' The MS14-068 patch is one of two which were listed in Microsoft's November bulletin as having a release date 'to be determined,' suggesting that another out-of-band patch could appear before December's Patch Tuesday rolls around.
Microsoft rushes out patch for Kerberos protocol
Posted on Wednesday, November 19 2014 @ 15:12 CET by Thomas De Maesschalck