Microsoft issues emergency patch for bug affecting all versions of Windows

Microsoft issues emergency patch for bug affecting all versions of Windows

Could enable an attacker to perform privilege escalation

MICROSOFT HAS ISSUED an emergency patch for the Kerberos Bug that could allow an attacker to perform privilege escalation in several versions of Windows.

In what will be the firm's third emergency patch in the past three months, the fix arrives just a week after the monthly Patch Tuesday release.

The critical MS14-068 fix applies to all currently supported Windows operating systems and resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate domain user account privileges to those of the domain administrator account.

"The attacker could forge a Kerberos Ticket and send that to the Kerberos KDC which claims the user is a domain administrator," explained security company Shavlik's product manager, Chris Goettl.

"From there the attacker can impersonate any domain accounts, add themselves to any group, install programs, view\change\delete date, or create any new accounts they wish."

This could allow the attacker to compromise any computer in the domain, including domain controllers. Goettl urged companies to include this in their patch cycle as soon as possible.

"If there is a silver lining in this one it is that the attacker must have a valid domain user account to exploit the vulnerability, but once they have, they have the keys to the kingdom," Goettl said.

"This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together."

Microsoft said in a statement: "We continued to work on this bulletin, and released it once ready. We remain focused on minimising potential customer disruptions with our releases."

http://www.theinquirer.net/inquirer...tch-for-bug-affecting-all-versions-of-windows