Microsoft today deviated from its regular pattern of releasing security updates on “update Tuesday” – or the second Tuesday of each month, by pushing out an emergency patch to plug a security hole in all supported versions of Windows. The company urged all Windows users to install this update as quickly as possible, noting that cybercriminals already are exploiting the weaknesses to launch targeted attacks.
The update (MS14-068) addresses a bug in a Windows component called Microsoft Windows Kerberos KDC, which handles authenticating Windows PCs on a local network. It is somewhat less of a problem for Windows home users (it is only rated critical for server versions of Windows) but it poses a serious threat to organizations. According to security vendor Shavlik, the flaw allows an attacker to elevate domain user account privileges to those of the domain administrator account.
“The attacker could forge a Kerberos Ticket and send that to the Kerberos KDC which claims the user is a domain administrator,” writes Chris Goettl, product manager with Shavlik. “From there the attacker can impersonate any domain accounts, add themselves to any group, install programs, view\change\delete date, or create any new accounts they wish. This could allow the attacker to then compromise any computer in the domain, including domain controllers. If there is a silver lining in this one it is in the fact that the attacker must have a valid domain user account to exploit the vulnerability, but once they have done so, they have the keys to the kingdom.”