Microsoft has rereleased update MS14-068 (Kerberos Checksum Vulnerability) as an out of band update and urges customers to deploy it. Stated on their Security Bulletin Summary page (https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx) is that Microsoft is aware of targeted threats for 068. Microsoft recommends customers apply this update to their domain controllers as quickly as possible as it could allow a normal domain account to be elevated to that of a domain admin. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore, it is critical to install the update immediately. The implications are huge here, so I wouldn’t sit on this too long if I were you.
Kerberos Checksum Vulnerability
This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
For more information about this update, see Microsoft Knowledge Base Article 3011780.
Additional Notes: If you aren’t already aware, Azure Active Directory (AAD) does not expose Kerberos over any external interface and is therefore not affected by this vulnerability (although domain controllers running in Azure would be).
Newly announced, Microsoft is offering some free live training November 20th on MVA for IT Pros around Windows 10. Simon May, Brad McCabe, Michael Niehaus, Chris Hallum, and Fred Pullen are your hosts and I expect it to be a great session. If you have had the chance to see Simon or Michael speak I am sure you will agree this is something you don’t want to miss. If you have the time, check it out.
Windows 10 Technical Preview Fundamentals for IT Pros
Live Event Details
November 20, 2014
In this Jump Start training with live Q&A, join us as the lead Windows 10 Enterprise Product Managers roll back the covers on the Windows 10 Technical Preview. Learn about new UI enhancements, find out how management and deployment is evolving, and hear how new security enhancements in Windows 10 can help your organization respond to the modern security threat landscape. Be sure to bring your questions!
As I have posted before I am using Windows 10 as my main device on my Surface Pro and am quite impressed. At first, the new OS was bloated and used way too much power. With the second update (9860) three weeks ago, I was pleased to see my tablet go back to 5-8 hours of battery life with impressive power savings when docked while on battery. Well, in all its awesomeness, it looks like we have another update to test out!
If you are part of the fast track, you started receiving the newest build (9879) on the 12th. If you are part of the slower track, you should start seeing the build in the next week or so. There are some nice enhancements and I cant wait to play with this and give my feedback. If you are running this in an enterprise, you may want to put yourself on the slow track until they work out some of the bugs with the new build. The following are the current known bugs:
Some known problems:
As with the last build, you’re getting hot-off-the-presses code which means there are a few issues. We’ll be publishing WU updates shortly to fix the first two, but the remainder will not be fixed for 9879.
- In some cases you may get a black screen when trying to log-in or unlock. The only option is to hold the power button to hard reboot.
- You will be unable to connect to Distributed File System network locations.
- Some systems may see disk growth of 20GB+ due to driver install duplication. On systems with low disk space this can block setup and cause a rollback to the previous build.
- Skype calls will disconnect and Music will stop playing if those apps are minimized.
- There are several known issues with screen sharing with Lync.
You can find out more at the Windows Blog (http://blogs.windows.com/bloggingwindows/2014/11/12/new-build-available-to-the-windows-insider-program/)