November 18, 2014

Microsoft today deviated from its regular pattern of releasing security updates on the second Tuesday of each month, pushing out an emergency patch to plug a security hole in all supported versions of Windows. The company urged Windows users to install the update as quickly as possible, noting that miscreants already are exploiting the weaknesses to launch targeted attacks.

brokenwindowsThe update (MS14-068) addresses a bug in a Windows component called Microsoft Windows Kerberos KDC, which handles authenticating Windows PCs on a local network. It is somewhat less of a problem for Windows home users (it is only rated critical for server versions of Windows) but it poses a serious threat to organizations. According to security vendor Shavlik, the flaw allows an attacker to elevate domain user account privileges to those of the domain administrator account.

“The attacker could forge a Kerberos Ticket and send that to the Kerberos KDC which claims the user is a domain administrator,” writes Chris Goettl, product manager with Shavlik. “From there the attacker can impersonate any domain accounts, add themselves to any group, install programs, view\change\delete date, or create any new accounts they wish.  This could allow the attacker to then compromise any computer in the domain, including domain controllers.  If there is a silver lining in this one it is in the fact that the attacker must have a valid domain user account to exploit the vulnerability, but once they have done so, they have the keys to the kingdom.”

The patch is one of two that Microsoft had expected to release on Patch Tuesday earlier this month, but unexpectedly pulled at the last moment.  “This is pretty severe and definitely explains why Microsoft only delayed the release and did not pull it from the November Patch Tuesday release all together,” Goettl said.

On a separate note, security experts are warning those who haven’t yet fully applied the updates from Patch Tuesday to get on with it already. Researchers with vulnerability exploit development firm Immunity have been detailing their work in devising reliable ways to exploit a critical flaw in Microsoft Secure Channel (a.k.a. “Schannel”), a security package in Windows that handles SSL/TLS encryption — which protects the privacy and security of Web browsing for Windows users. More importantly, there are signs that malicious hackers are devising their own methods of exploiting the flaw to seize control over unpatched Windows systems.

Wolfgang Kandek, chief technology officer at Qualys, said security researchers were immediately driven to this bulletin as it updates Microsoft’s SSL/TLS implementation fixing Remote Code Execution and Information Leakage that were found internally at Microsoft during a code audit.

“More information has not been made available, but in theory this sounds quite similar in scope to April’s Heartbleed problem in OpenSSL, which was widely publicized and had a number of documented abuse cases,” Kandek wrote in a blog post today. “The dark side is certainly making progress in finding an exploit for these vulnerabilities. It is now high time to patch.”


57 thoughts on “Microsoft Releases Emergency Security Update

  1. John Cali

    Thanks so much, Brian. I’d be lost on all this security stuff if it wasn’t for you. I, and I know many others, are grateful for all you do.

    1. Max Mohan

      Couldn’t agree more! Thanks! Enjoyed your interview with Jeff on PBSNewshour.

      Keep up the great work and keeping us safe..

  2. CooloutAC

    its weird i just reinstalled windows, and just kept getting security update after security update for the past couple days, this one was the latest.

    One of the patches from last tuesday looked really bad I figured this was related. Heartbleed ranked 5/10 and shellshock ranked 10/10 on most sites. I wonder what this vulnerablity would rank at, i’m assuming it was privately discovered.

    I also think its great you always post about the major adobe and windows updates for when I forget. Thanks alot Brian.

    1. jaded

      If shellshock is 10/10, this is about 15/10. Being able to grant yourself domain admin authority allows you to bypass every single aspect of security in a Windows environment. All this would take would be any form of entry into a Windows environment.

    2. Hopper

      For this exploit to work, you have to be on a Windows domain, which you will need a server with the Active Directory roll in it.

      If you don’t? Dont sweat this vuln. This is more for protecting companies internally from malicious employees.

      1. Harry Johnston

        That’s “Active Directory role”. 🙂

        Not necessarily malicious employees, though that’s one scenario. You could also be attacked if any one of your employees has an infected computer, which is of course rather easy to have happen when you have hundreds or thousands of them.

        You’re quite right in pointing out that MS14-068 doesn’t affect home users, or small businesses that aren’t using Active Directory.

        1. CooloutAC

          well i have a small home lan, with a few pcs and lots of mobile devices….but I always set my windows firewall to public defaults anyways to be safe. My pc is a standalone workstation and i try to shut off all file sharing and remote management.

          They say it only affects servers, but I think home users should update it too anyways.

          And apparently it gets an 9/10 cvss score. and 8/10 exploitability, so shell shock is slightly worse, but this seems almost as bad. pretty crazy.

          https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6324

  3. Anon

    Typo: from the Microsoft article, it looks like it should be “KDC” instead of “KBC”

    1. timeless

      @Brian,

      > view\change\delete date

      date -> update

      And probably add a slash…

      1. forwhat istime?

        Time as we know it. may-be dd/mm/yyyy. is it not?
        At least on some parts of this rock.

        A word to the wise is sufficient.

      2. SeymourB

        Or you could stop, notice that 18 corresponded to the day of the month, and that 14 corresponds to the current year, and realize that maybe the date isn’t formatted like you think it is.

      3. Scott

        I suspect that this should actually be “view/change/delete data” – still a typo, but a simpler one.

  4. petepall

    “Miscreant.” Such a quaint term that could be used to characterize a playground bully. Me? I would have chosen a much more descriptive term! Nevertheless, thanks, Brian. I enjoyed listening to your interview with Terri Gross on Fresh Air (NPR) this afternoon. I look forward to the book coming this week.

    1. anonymous

      A miscreant simply means breaking the law. A perfectly good way of putting it.

      1. petepall

        According to Oxford Dictionary online a miscreant is: “1.a person who behaves badly or in a way that breaks the law.” Thus a playground bully is a miscreant. These jerks who break the law by playing badly in the cyber realm deserve a much more pejorative term.

  5. John Murphy

    Dear Brian, I loved your interview with Terry Gross on NPR today. I don’t think I can continue on in the cyber community without your new book! Best wishes and thanks for all you do for us.

  6. Spam Nation on Security

    You might want to add to your article that Chrome 39 was also released this week.

    Microsoft Security update burnout this month!

  7. David

    Thanks for this critical heads up. This critical patch activity is getting to be like the dentist drill…will it ever stop already!

  8. JCitizen

    That Chrome update was weird! It had to look for updates again immediately after relaunch then put another patch in and relaunched again! At least I hope that was Chrome doing that – or maybe it had to make special compensation for Rapport? Perhaps it was gagging on it, because it doesn’t appear to be working on this new iteration.

  9. Stratocaster

    The Microsoft KUB states that for all current desktop versions of Windows, “Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.” So for most end-users, the panic of an “out-of-band” label doesn’t really apply. If auto-update installs it, fine.

    Network administrators, however, should be very afraid.

    1. E.M.H.

      Well, system administrators, to be specific. But yes, if someone runs Windows Server, they really, REALLY want to pay attention to this. And by this time should be working to install the patch, if it’s not already been applied.

  10. muffin

    When I checked for Windows update this evening, I got an important update released today but it is called KB3011780, security update for Windows 7 for x64 based systems. I don’t see anything about MS14-068. Is the KB one the same as the MS one?
    PS: I’m not a computer expert.

    1. PencilSharp

      Didn’t see anybody else clarify this for you, Muffin, so yes, KB 3011780 is indeed the issue covered by MS14-068.
      And, no, this is not such a big deal for home users (as opposed to organization network administrators, who should flop-sweat now), but there’s no reason to leave a back door potentially open.

  11. G.Scott H.

    I do not see reference to information leakage in the MS bulletin or KB article. Theoretically, a remote code execution in the context of the schannel memory could leak information.

    The only similarity I see to Heartbleed is the SSL/TLS function implementation. If there is more to this schannel issue, then just like heartbleed we may have another batch of certs revoked, keys regenerated, and certs reissued.

  12. Acarolinensis

    “Come over to the dark side. Free cookies.” Loved your interview with Terry Gross.

  13. BaliRob

    Brian,

    Any reason I am getting Windows updates upon closing my XP Pro – received the Unicorn bug last Tues/Wed –
    do you think? I have made no effort to adjust my Registry, etc to avail myself such as others have done on your Forum.

    1. JCitizen

      I can’t address you “bug” issue, but if you have installed anything that required more software support like .NET, you would indeed need more updates, and Windows Update would present them for installation. I’ve had this happen to me when I updated an application, and more .NET v. 4.0 updates were required. The application attempted to install the requirements, and failed, so I ended up going to MS to get them.

      There could be many other update file types that would fall under this same situation.

    2. BaliRob

      @JCitizen – I should have said the MS patch for the very old unicorn@ bug which I did not have of course. Also, the point I was trying to make was that I thought MS was no longer supporting XP yet here I am using XP Pro and getting Windows updates when closing my computer for the night.

  14. slacker

    Is it enough to update the domain controllers to start with?

    An unpatched client could forge the fake kerberos ticket, but a patched domain controller (probably) would not accept it?

    1. Eric

      The implication is that only domain controllers need to be patched, but it is really vital that they do get the patch since only a domain controller can be a KDC.

    2. craigergrc

      To start with? Sure. But why: ” The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1.”
      Let’s think about it: if an unpatched client can forge a ticket and can observe how the DC responds before and after it’s patched, could the unpatched client gain any advantage in having the dc or other servers accept its fake tickets? On the other hand, assuming it is a potential risk but we’d rather not bother with the patch, how can we monitor for fake Kerberos tickets on the network? Should we try to duplicate the attack so we can more easily identify it?

  15. Eaglewerks

    David – Using Windows 95 is akin to driving a 1995 automobile, or reading a Encyclopedia printed in 1995. If you are using a version of Windows 2000 that is akin to driving a 2000 model year car, Windows XP was first available in 2001, and Windows 7 was first available in 2009. Microsoft does a pretty good job of providing free on-line patches and up grades for their products, and as we all know they only recently discontinued freely supporting Win XP, a 13 year old operating system. Win 7, a five year old OS, still enjoys free support. Perhaps your quest for free support would be better directed to the manufacturer of your automobile. Perhaps they can make Takata Air Bags available for your favorite Skoda or Yugo, while they repair the brakes, electrical system and recall all the broken plastic do-dads. Best of Luck in your endeavor.

  16. J M

    I had problems with KB 3000850. Tried to install it on a PC running 8.1 Pro and it failed. I only found that out after I resolved a problem that the update caused. My machine was stuck at: “Keep your PC on until this is done. Installing update 1 of 1″ on the restart. It sat there like that 2 hours until I forced it to quit. This is an up-to-date recent build with zero previous problems.

    1. Sebastian

      This update will ruin your computer. Don’t install it. Programs don’t startup. General instability has been added with this update. Can’t shutdown and restart the computer. This f****** update S****s

      1. J M

        I have no intention of trying that update again. In the future I will take the extra time to research ALL MS updates before installing them. Thanks Sebastian.

        1. Likes2LOL

          I always wait at least 3-4 days after a patch is released before attempting to update. Microsoft has a history of issuing half-baked fixes that cause problems, as J M, Sebastian, and xeric can attest.

          As a company of programmers, Microsoft embarrasses themselves with incompetence more often than you would expect.

          I usually try to offer something humorous, but this is no laughing matter. 🙁

    2. xeric

      KB3000850 is a serious screw up. It’s another example of Microsoft’s inability to put out updates that are adequately tested and functional. This one is a 723mb mess that rendered my PC inoperable. Startup programs didn’t work and shut down stalled out. Trying to uninstall it caused a bluescreen on start up. I wasted 3 hours last night undoing the damage. Whatever “improvements” this “rollup” was supposed to add don’t seem to be worth it anyway. What possessed them to rush this out?

      1. SeymourB

        Considering Windows 8 has been a serious screw-up for Microsoft, it’s only fitting that updates for their screw-up are also screwed-up.

        Sorry, not that I don’t sympathize with you and feel your pain, I’ve certainly been in that situation before. I just found it ironic.

        Still, the lesson to be learned is to always perform a backup, and have the necessary bootable recovery media on hand, etc. before installing updates. It takes extra time, but it really does save you all that misery when things go wrong.

        1. Keyspace

          Not the first update of MC’s that has broken things, and strangely not the first high priority patch. Seems that pushing things out the door fast has its downsides.

  17. mechBgon

    Microsoft’s patches are free already, so that’s covered. Their software licenses don’t cost you much if you’re buying an off-the-shelf Happy Meal™ computer like a Dell, HP or so forth. Even a “retail” Windows license at $200ish is not a bad buy if you’re planning to get 7-8 years of use out of it. Compare that to what you spend on cell-phone contracts or maybe car maintenance. Hmm.

  18. Ugh

    Has anyone else had an issue on a Server 2003 box where Microsoft Updates no longer work?

      1. jjjdavidson

        I have this problem, too, and so do many other admins. But it seems to be unconnected to the latest MS updates, just a coincidence of dates. Seems there’s a built-in expiration date for the Microsoft Update website, saved in a file named muauth.cab. See my comments at the SANS link Steve provides, or at https://social.technet.microsoft.com/Forums/windowsserver/en-US/77990b62-d97f-4648-815f-b021ddc07b5e/windows-update-for-windows-server-2003-will-not-load?forum=winservergen

  19. Colin

    KB3011780 may well be a security fix but it fixes my Vista laptop by turning it unusable because it removes the ability to get wifi access. Uninstalling the update makes it useable again.

  20. Jay

    Can anyone tell me if this update will or will not require a reboot?

    1. J M

      Hey Jay,
      KB 300850 requires a restart. I’m not sure about KB 3011780. I just looked at Microsoft Security Bulletin MS14-068 regarding 3011780. Looks like there is no reason to download either of these updates if you are using Vista, 7, or 8.1 on a non-networked PC. This is a server issue. https://technet.microsoft.com/library/security/MS14-068

      1. Jay

        @JM

        Thanks, I will need to do these since I work for a Consultant that has multiple clients with Domains that we manage.

  21. Kyle

    I normally drag my butt on updates like this … I’ll put it through my computer as soon as possible now … thanks for the alert!

  22. Cody

    For those unaware, publicly available exploit code for MS14-068. It’s a “still in development” Python script, but apparently the base functionality is working.

    For anyone interested, it can be found here: https://github.com/bidord/pykek

  23. Ed

    I am having a problem with this “update”. Windows security update KB3011780 will not install. Starting on 11/19, this update has failed repeatedly, yet every update that came after has installed successfully. I even DLd the Windows Update diagnostic tool, but no success. The only step left was a “windows repair” using original disks, which I have elected to avoid so far.

    Running Windows 7 Home premium, 64 bit I believe.

    Can anybody say if I should be wooried?

    1. Harry Johnston

      @Ed: try downloading the installer (search the MS download site for “KB3011780”) and running it by hand. Sometimes that helps.

      If you can’t get it installed, don’t worry too much about it. So far as is known, the vulnerability is only exploitable on Windows Server. The desktop update was only released as a precautionary measure.

Comments are closed.