Microsoft has put out an emergency patch for the Kerberos Bug, which could allow an attacker to perform privilege escalation on all versions of Windows. This will mark the software maker’s third emergency patch in recent months, this one in particular arrives just a week after the regular monthly patch release.
The critical MS14-068 fix applies to all currently supported Windows Operating Systems, resolving a privately reported vulnerability in the Windows Kerberos KDC, which allows attackers to elevate account privileges. Chris Goetti, a product manager at security company, Shavlik, explained that “the attacker could forge a Kerberos Ticket and send that to the Kerberos KDC which claims the user is a domain administrator”.
“From there the attacker can impersonate any domain accounts, add themselves to any group, install programs, viewchangedelete date, or create any new accounts they wish. If there is a silver lining in this one it is that the attacker must have a valid domain user account to exploit the vulnerability, but once they have, they have the keys to the kingdom”.
Microsoft also gave a statement following the patch, saying that the company will remain “focused on minimizing potential customer disruptions with our releases”.
Discuss on our Facebook page, HERE.
KitGuru Says: That’s another potentially harmful bug patched out of Windows.