UPDATE–Microsoft on Tuesday released a rare out-of-band patch for a critical vulnerability in several versions of Windows and Windows Server, including Windows 8 and 8.1.
The Ms14-068 vulnerability is a flaw in the Kerberos implementation in Windows that could enable an attacker to elevate his privileges on a machine from user to administrator. The bug is rated critical and Microsoft said that it already is being used in targeted attacks.
“This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability,” Microsoft said in its advisory.
“The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.”
Originally, Microsoft planned to release the patch for this vulnerability, MS14-068, on Nov. 11, with the rest of the month’s Patch Tuesday fixes. However, the patch was not included in that release. No reason was given for the omission, but in the past Microsoft has delayed patches that weren’t ready yet or caused problems in testing. The MS14-068 vulnerability is rated critical and the company is urging users to install the patch right away.
“The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue,” Microsoft’s SWIAT team said in a blog post.
There is another vulnerability that Microsoft also planned to patch on Nov. 11 that hasn’t yet been fixed. MS14-075 was postponed and the company has yet to announce a release date for that patch.
This story was updated on Nov. 18 to add details about the vulnerability.