Microsoft has announced that is to release an out-of-band patch tonight to address a vulnerability in Windows.
In a very short statement, Tracey Pretorius, director of response communications at Microsoft, said: “We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin.”
The emergency bulletin,MS14-068, specifically patches an elevation of privilege issue in Windows.
Affected operating systems include Windows Servers 2003, 2008 and 2012, Windows Server 2008 R2 and 2012 R2.
Ken Westin, security analyst at Tripwire, said:This patch MS14-068 ,along with MS14-075, were listed in Tuesday’s bulletin from Microsoft, but were listed as ‘release date to be determined’, which is a rather odd occurrence.
“This patch fixes a privilege escalation vulnerability in all versions of Windows and is something that should be updated quickly. This out-of-band patch can cause some retailers heartburn as they prepare for the holidays and the dreaded holiday ‘code freeze’ which many organisations may deploy in anticipation of the shopping season to minimize disruption or down time caused by any errant changes. Particularly as the other MS14-075 patch is still outstanding, however that is believed to be a patch for Microsoft Exchange Server.”
It was revealed in a second advisory by Joe Bialek from the Microsoft Resource Centre Engineering team that the flaw, CVE-2014-6324, addresses a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks.
He said: “CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue.
“CVE-2014-6324 fixes an issue in the way Windows Kerberos validates the PAC in Kerberos tickets. Prior to the update it was possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator.”