Unscheduled Windows update kills critical security bug under active attack

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2014/11/unscheduled-windows-update-kills-critical-security-bug-under-active-attack/

By Dan Goodin
Ars Technica
Nov 18 2014

Microsoft has released an unscheduled update to patch a critical security 
hole that is being actively exploited to hack Windows-based servers.

A flaw in the Windows implementation of the Kerberos authentication 
protocol allows attackers with credentials for low-level accounts to 
remotely hijack extremely sensitive Windows domain controllers that 
allocate privileges on large corporate or government networks. The 
privilege elevation bug is already being exploited in highly targeted 
attacks and gives hackers extraordinary control over vulnerable networks.

"The only way a domain compromise can be remediated with a high level of 
certainty is a complete rebuild of the domain," Microsoft engineer Joe 
Bialek wrote in a blog post accompanying Thursday's patch. "An attacker 
with administrative privilege on a domain controller can make a nearly 
unbounded number of changes to the system that can allow the attacker to 
persist their access long after the update has been installed. Therefore 
it is critical to install the update immediately."

The patch came on the same day that security research firm NSS Labs 
reported recently discovering reliable attacks in the wild that exploit 
security holes patched by MS14-064, an update released last week. The 
exploits use proof-of-concept code also released last week to install 
unspecified malware on vulnerable computers, NSS said.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/