Number: IRCNE2014112379
Date: 2014/11/18
According to “zdnet”, Microsoft has released an out-of-band update, designated MS14-068, to address a critical vulnerability in server versions of Windows, including Server Core.
The vulnerability (CVE-2014-6324) is in the Windows Kerberos Key Distribution Center (KDC), which supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The vulnerability could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. This would allow an attacker to compromise any computer or user in the domain. An attacker would have to have valid domain credentials to exploit the vulnerability.
Microsoft also says that it is "aware of limited, targeted attacks that attempt to exploit this vulnerability."
All server versions of Windows are affected, specifically Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The Windows Server Technical Preview is also affected by this vulnerability.
The update is also being provided to desktop versions of Windows (including the Windows Technical Preview) for what Microsoft calls "...additional defense-in-depth hardening that does not fix any known vulnerability." The update does not apply to Windows RT, presumably because it has no domain logon capability.
- 2