'

Microsoft patches critical Windows Server vulnerability

A privilege escalation bug being exploited in the wild could turn a normal user into a domain administrator.

Microsoft has released an out-of-band update, designated MS14-068, to address a critical vulnerability in server versions of Windows, including Server Core.

The vulnerability (CVE-2014-6324) is in the Windows Kerberos Key Distribution Center (KDC), which supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The vulnerability could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. This would allow an attacker to compromise any computer or user in the domain. An attacker would have to have valid domain credentials to exploit the vulnerability.

Microsoft also says that it is "aware of limited, targeted attacks that attempt to exploit this vulnerability."

All server versions of Windows are affected, specifically Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The Windows Server Technical Preview is also affected by this vulnerability.

The vulnerability description says the Windows "KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged." There are no workarounds and the only mitigating factor is the requirement of a valid domain logon.

The update is also being provided to desktop versions of Windows (including the Windows Technical Preview) for what Microsoft calls "...additional defense-in-depth hardening that does not fix any known vulnerability." The update does not apply to Windows RT, presumably because it has no domain logon capability.

The vulnerability was reported to Microsoft by the Qualcomm Information Security & Risk Management team. Microsoft specifically names Tom Maddock for special recognition.

There is no word yet on the disposition of MS14-075, the other update withheld on Patch Tuesday. That update will address unspecified problems in Exchange Server. Microsoft has said that a problem with the Installer program was responsible for the delay.