Microsoft issues out-of-band patch to Windows Kerberos

Microsoft has very unusually released an `out-of-band' security patch to fix a vulnerability in Windows - and Windows Server - that hackers are reportedly exploiting to compromise IT networks.

Inadequate patching leaving businesses vulnerable
Inadequate patching leaving businesses vulnerable
According to the software giant, a vulnerability (MS14-068) in the Kerberos authentication system allows a user to escalate their privileges to access domain administrator rights.

"By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system," Microsoft says in its emergency patch comments.

SCMagazineUK.com notes that MS14-068 was one of two security bulletins held back last week in Microsoft's major November Patch Tuesday security update of 14 bulletins addressing almost 40 individual vulnerabilities.

Qualys CTO Wolfgang Kandek says that MS14-068 was held back because it showed some last-minute stability problems.

In his analysis, Kandek claims that security researchers were immediately driven to issue this bulletin as it updates Microsoft's SSL/TLS implementation fixing Remote Code Execution and Information Leakage that were found internally at Microsoft during a code audit.

"More information has not been made available, but in theory this sounds quite similar in scope to April's Heartbleed problem in OpenSSL, which was widely publicised and had a number of documented abuse cases," he said, adding that the dark side is certainly making progress in finding an exploit for these vulnerabilities. It is now high-time to patch.


All versions

Whilst it originally looked as though MS14-068 was being held to the December update schedule, Microsoft now says the vulnerable component is in all supported versions of Windows up to 8.1 and Windows Server up to 2012 R2.

Because of this, whilst the problem is not considered an immediate target, the Redmond giant appears to be taking no chances, although some newswires quote Microsoft as saying that it has now received reports of "limited, targeted attacks" exploiting the flaw.

Leading security researcher Brian Krebs has confirmed these reports, noting that miscreants already are exploiting the weaknesses to launch targeted attacks.

"The update addresses a bug in a Windows component called Microsoft Windows Kerberos KDC, which handles authenticating Windows PCs on a local network. It is somewhat less of a problem for Windows home users - it is only rated critical for server versions of Windows - but it poses a serious threat to organisations," he says in his analysis, citing security vendor Shavlik as saying the flaw "allows an attacker to elevate domain user account privileges to those of the domain administrator account."

Craig Young, a security researcher with Tripwire, meanwhile, says that Microsoft has released MS14-068 to solve a crypto failure within Microsoft's Kerberos key Distribution Centre (KDC) with the impact of allowing low-privileged domain users to gain administrative access to any computer in the domain including the domain controller.

"The problem stems from a failure to properly validate cryptographic signatures on which allows certain aspects of a Kerberos service ticket to be forged.  The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain," he explained.

According to Young, Windows servers in affected environments should be patched at once to prevent exploitation.

Administrators, he argues, should also consider deploying the defence-in-depth changes issued for Microsoft's desktop platforms to limit exposure to other vulnerabilities, which may be lurking in the code.

Cryptography, says Young, is hard and doing cryptography right is even harder.

"Over the years a variety of security flaws have been the result of signatures which do not authenticate all critical data or failure to properly validate signatures. Earlier this year several high-profile Bitcoin exchanges - including MtGox - learned this lesson the hard way when attackers managed to steal hundreds of millions if not billions of dollars through transaction malleability," he said.

"This was made possible because attackers could change aspects of a transaction without affecting the signature thereby creating competing transactions which could both be cryptographically verified," he added.