Microsoft releases Out of Band update today
Microsoft has rereleased update MS14-068 (Kerberos Checksum Vulnerability) as an out of band update and urges customers to deploy it. Stated on their Security Bulletin Summary page (https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx) is that Microsoft is aware of targeted threats for 068. Microsoft recommends customers apply this update to their domain controllers as quickly as possible as it could allow a normal domain account to be elevated to that of a domain admin. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore, it is critical to install the update immediately. The implications are huge here, so I wouldn’t sit on this too long if I were you.
Kerberos Checksum Vulnerability
This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
For more information about this update, see Microsoft Knowledge Base Article 3011780.
Additional Notes: If you aren’t already aware, Azure Active Directory (AAD) does not expose Kerberos over any external interface and is therefore not affected by this vulnerability (although domain controllers running in Azure would be).