Unscheduled Windows update kills critical security bug under active attack Microsoft has released an

Unscheduled Windows update kills critical security bug under active attack

Microsoft has released an unscheduled update to patch a critical security hole that is being actively exploited to hack Windows-based servers.

A flaw in the Windows implementation of the Kerberos authentication protocol allows attackers with credentials for low-level accounts to remotely hijack extremely sensitive Windows domain controllers that allocate privileges on large corporate or government networks. The privilege elevation bug is already being exploited in highly targeted attacks and gives hackers extraordinary control over vulnerable networks.

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," Microsoft engineer Joe Bialek wrote in a blog post accompanying Thursday's patch. "An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately."

The patch came on the same day that security research firm NSS Labs reported recently discovering reliable attacks in the wild that exploit security holes patched by MS14-064, an update released last week. The exploits use proof-of-concept code also released last week to install unspecified malware on vulnerable computers, NSS said.

While all supported versions of Windows contain the bug fixed Tuesday, server versions from 2008 R2 and earlier are the most vulnerable. The exploits observed so far work against Windows Server 2008 R2 and previous server versions. Domain controllers running on Windows Server 2012 and higher aren't susceptible to those attacks, but they are vulnerable to a related technique that is harder to carry out. Windows systems that don't run domain controllers are theoretically vulnerable. Bialek said all Windows users should install the patch as soon as possible, but the priority should be assigned in the following order: (1) domain controllers running 2008 R2 and below, (2) domain controllers running server 2012 and higher, and (3) all other systems running any supporter version of Windows.

Kerberos uses a "ticket to get tickets" and a service ticket when authenticating users. Embedded in both tickets is a privilege attribute certificate (PAC) that assigns the level of access for each individual user.

"Prior to the update it was possible for an attacker to forge a PAC that the Kerberos [domain controller] would incorrectly validate," Bialek explained. "This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator."

MS14-068, as the patch is designated, was originally slated to be part of last week's Patch Tuesday. Microsoft pulled the patch without explanation. Company officials likely released the update shortly after confirming the vulnerability was being exploited in the wild.

http://arstechnica.com/security/201...rstechnica/index+(Ars+Technica+-+All+content)