Microsoft's out-of-band update yesterday fixes a profoundly serious bug: Any user logged into the domain can elevate their own privilege to any other, up to and including Domain Administrator. When I saw in the advance notification, that one of the bugs was an elevation of privilege bug and rated critical I knew something different was up.
First, some good news: "Azure Active Directory does not expose Kerberos over any external interface and is therefore not affected by this vulnerability." That could have been nasty.
It turns out that Windows Servers 2008 R2 and below are vulnerable to the flaw. Windows Server 2012 is vulnerable to a related, but much harder to exploit attack. Desktop Windows is not vulnerable, but they issued the update for desktop systems anyway. The code is in the desktops, it may as well be correct.
This explains Microsoft's priority list for applying updates:
Domain controllers running Windows Server 2008R2 and below
Domain controllers running Windows Server 2012 and higher
All other systems running any version of Windows
Don't take any breaks until you finish #1.
To understand the bug you need to know a little about how Kerberos works. Microsoft provided the following illustration:
At one point in the process (#2) the KDC (Key Distribution Center, the vulnerable component in the domain controller) sends the client a data structure called a PAC (Privilege Attribute Certificate) containing a digitally signed section itself containing information about the user's security privileges (the user's domain SID and security groups to which he belongs). The user then resends this ticket to the KDC in exchange for a Service Ticket which it can use to authenticate with Windows services.
Here's the problem: The KDC does not always properly validate the digital signature in the PAC sent back to it in request for a Service Ticket. This means it is possible for a user to forge data in the PAC about their privileges, such as by assigning themselves to the Domain Administrators security group.
Microsoft describes a way to determine if you have been exploited prior to applying the update, but it's just a test for some kinds of exploits, including those observed in the wild. Other techniques are possible which would not be detected in this way. Consider the following Security Event Log entry:
Note that the Security ID and Account Name are different. They should be identical.
After you apply the update it is possible to use a different event to look for evidence of exploit attempts.
Take this with deadly seriousness. As the description in the NVD (National Vulnerability Database) says, it's high impact and easy to exploit. And if you are exploited, the price is high, irrespective of any damage the attacker does: The only way to remediate is to rebuild the domain from scratch. Don't let this happen to you.