Not logged in » Login
Nov 19 2014

Microsoft Adds Emergency Update

Following last week's big repair day, Microsoft has launched another "out-of-band" patch for its server and desktop operating systems. The fact that Microsoft breaks with its usual monthly release schedule normally indicates that an update is truly critical.

Thus is the case with the vulnerability disclosed in Security Bulletin MS 14-068. In Microsoft's own words:

"This security update resolves a [...] vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability."

Further according to the company's warning, the update is critical for all currently supported editions of the Windows Server OS, i.e. from Windows Server 2003 onwards. Moreover, it's also distributed to users of Windows Vista/7/8/8.1 "on a defense-in-depth basis," meaning as a proactive measure. For more information, please see Microsoft's related Knowledge Base article.

For users of Windows Server 2008 R2 and Windows Server 2012 who encountered problems with last week's patch for the vulnerability revealed in Security Bulletin MS14-066, Microsoft has quietly released an update to the update that removes a several "default cipher suites" from the registry. Labeled update 3018238, this new package will install automatically together with the older update 2992611 and appear separately in the list of installed updates. Users who have already installed the previous patch will notice that update 2992611 is reoffered for Windows Server 2008 R2 or Windows Server 2012 installations via Windows Update or WSUS. The eliminated cipher suites may be reinstalled at a later date, provided Microsoft can resolve the issues. To us, that sounds like a pretty good idea, since these cipher suites are part of the encryption capabilities provided with Windows Server 2008 R2/Windows Server 2012.

A third fix that contains an "update rollup" for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 was also added to the mix.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now