Microsoft issued Security Bulletin MS14-068, an out-of-band security patch to fix a critical vulnerability in Kerberos, a security protocol used in all supported versions of Windows. Typically, Microsoft bundles all of its patches for Patch Tuesday, the second Tuesday of the month. The fact that this is an out-of-cycle update illustrates the severity of the vulnerability, but an exploit seems limited to enterprise customers because Kerberos is typically only used on servers installed within an Active Directory or similar network environment.
Security Bulletin MS14-068 covers a privilege escalation vulnerability in the Kerberos security subsystem, present in all currently supported versions of Windows. The flaw has been deemed Critical by Microsoft, the company's most serious of ratings - hence the out-of-band patch. Thankfully, it's a problem which is likely to only concern enterprise customers: while the Kerberos system is present in all versions of Windows, it is typically only used on servers installed within an Active Directory or similar network environment - thus only servers are likely to be at risk of active attack, and then only if the attacker already has valid credentials for the domain.
'This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together,' explained Chris Goettle, product manager at security specialist Shavlik, of the patch. 'Our recommendation, include this in your Patch Cycle ASAP.' The MS14-068 patch is one of two which were listed in Microsoft's November bulletin as having a release date 'to be determined,' suggesting that another out-of-band patch could appear before December's Patch Tuesday rolls around.