Microsoft releases out-of-band Kerberos patch

November 19, 2014 | 11:47

Tags: #insecurity #patch-tuesday #privilege-escalation #security #update-tuesday #vulnerability #windows

Companies: #microsoft

Microsoft has broken with its traditional monthly Patch Tuesday release cycle to push out a patch for a critical vulnerability in the Kerberos security system of all current Windows releases.

Microsoft typically follows a self-imposed monthly release cycle dubbed Patch Tuesday, although the company has recently taken to dubbing the second Tuesday of the month Update Tuesday to avoid negative connotations. Under this cycle, any updates for its products - whether new features, bug fixes or solutions for security vulnerabilities - are released in bulk on the second Tuesday of the month. This, it is argued, allows for longer testing periods inside Microsoft and an easy time of scheduling for end-users: businesses know that they will need to download and test the releases of each Patch Tuesday before rolling them out to their own users, and can thus put aside a few days for doing exactly that.

Sometimes, however, a security flaw is serious enough that Microsoft decides it can't wait for the next Patch Tuesday to roll around. When this happens, the company releases an out-of-band update - one that appears on Windows Update with little to no warning. That it does so is a sign that a bug is indeed serious - and as a result, its most recent security bulletin is worthy of attention.

Security Bulletin MS14-068 covers a privilege escalation vulnerability in the Kerberos security subsystem, present in all currently supported versions of Windows. The flaw has been deemed Critical by Microsoft, the company's most serious of ratings - hence the out-of-band patch. Thankfully, it's a problem which is likely to only concern enterprise customers: while the Kerberos system is present in all versions of Windows, it is typically only used on servers installed within an Active Directory or similar network environment - thus only servers are likely to be at risk of active attack, and then only if the attacker already has valid credentials for the domain.

'This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together,' explained Chris Goettle, product manager at security specialist Shavlik, of the patch. 'Our recommendation, include this in your Patch Cycle ASAP.' The MS14-068 patch is one of two which were listed in Microsoft's November bulletin as having a release date 'to be determined,' suggesting that another out-of-band patch could appear before December's Patch Tuesday rolls around.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04