Breaking: Out-of-Band Critical Security Update Now Available, Prevents Kerobos DC Attacks

Breaking: Out-of-Band Critical Security Update Now Available, Prevents Kerobos DC Attacks


Microsoft has just made an announcement (and released a related notification) that it will release a critical security update within the next few hours. Slated to release at 10 AM PST, Microsoft is urging customers to apply the update as soon as humanly (and technologically) possible.

With the quick release and warning from Microsoft, this is one you probably don't want to mess around with.

The Advanced Security Bulletin states that the vulnerability impact is Elevation of Privilege, and affects currently supported Server versions of its Windows operating systems, including Windows Technical Preview and Windows Server Technical Preview. The OS versions NOT affected are: Windows RT, Windows RT 8.1, Windows 8, Windows 8.1, Windows 7, Windows Vista, which are all client operating systems. The update will still apply to the client operating systems, but the vulnerability that the patch addresses is not present in these OS's. This should all become clearer when Microsoft releases more information, but it sounds as if the problem is in specific server services or protocols. Nonetheless, this one's important to address.

More information will follow, but this type of warning usually means that an active exploit is in the wild and precautions should be taken immediately.

The bulletin: Microsoft Security Bulletin Advance Notification for November 2014

Let's just hope this update doesn't break something important. We'll have more coverage as the story evolves.

UPDATE: The Advanced Notification has now given way to an official Security Bulletin for MS14-068 and gives more information about the vulnerability. The Security Bulletin states:

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

The full bulletin is here: Microsoft Security Bulletin MS14-068 - Critical

UPDATE 2: Microsoft has also now released a blog post that goes much more indepth about the vulnerability, why its critical to patch, and even given an update priority of:

  1. Domain controllers running Windows Server 2008R2 and below
  2. Domain controllers running Windows Server 2012 and higher
  3. All other systems running any version of Windows

Read the indepth blog post here: Additional information about CVE-2014-6324

A couple notes of importance from the blog:

Remediation: The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain.

In the wild: The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below, but Windows Server 2012 and above is vulnerable, too.

Azure?: Azure Active Directory is not vulnerable.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.