Grab Microsoft’s Out-of-Cycle Kerberos Patch

During last week’s Microsoft Patch Day, I pointed out that Microsoft had delayed two of the expected bulletins. This week, they released one of those delayed updates, and rate it as a Critical issue.

According to the MS14-068 Security Bulletin, Kerberos suffers from a local privilege elevation flaw that could allow attackers to gain full control of your entire domain. Kerberos is one of the authentication protocols used by Windows Servers. Kerberos Key Distribution Center (KDC) is the network service that supplies kerberos “tickets.” Unfortunately, Windows Servers suffers from a KDC vulnerability that allows local users to gain full domain administrator privileges simply by sending maliciously forged tickets to your KDC server. The good news is, an attacker needs valid domain login credentials, and local network access to leverage this flaw. The bad news is, if they can exploit the flaw, they basically gain access to ALL your Windows machines easily. This is a great flaw for advanced attackers. If they can pwn even one of your least privileged users, they can leverage it to gain full control of Windows networks, and easily move laterally throughout your network. I consider this a pretty serious issue.

I recommend you patch your Windows Servers, especially your Active Directory controller, as soon as possible. Check out the Affected Software section of Microsoft’s bulletin for patch details. Though I recommend you update quickly, your Authentication server is a critical network component. I highly recommend you test this update on a non-production server first, to make sure it doesn’t cause and unexpected problems. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: