Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Microsoft has released a security patch to squash a bug in Windows that hackers are exploiting to compromise whole networks of computers.
Redmond said today a vulnerability (MS14-068) in the Kerberos authentication system, used by default in the operating system, allows a normal user to ramp up their privileges and access rights to that of a domain administrator.
Malicious software run accidentally by users can therefore use this to compromise the entire network – a terrifying thought for those managing intranets and such like.
"The attacker can impersonate any domain accounts; add themselves to any group; install programs; view, change, delete data; or create any new accounts they wish," said Chris Goettl of IT management firm Shavlik.
"This could allow the attacker to then compromise any computer in the domain, including domain controllers."
MS14-068 means an intern can get access to the CEO's office by holding his thumb over the photo on his ID-card. While working from home.— Martijn Grooten (@martijn_grooten) November 18, 2014
Microsoft said the vulnerable component is in all supported versions of Windows – Vista through 8.1 – and Windows Server – 2003 through 2012 R2. The company has made the fix a critical priority for Windows Server systems.
While client systems would not be considered a target for an attack, Microsoft is advising desktop, notebook and tablet users to install the update as a precautionary measure.
Microsoft added it had received reports of "limited, targeted attacks" exploiting the flaw. The software giant thanked "the Qualcomm Information Security & Risk Management team, with special recognition for Tom Maddock," for reporting the issue.
The release comes one week after Microsoft posted its monthly security patch releases. The November Patch Tuesday bundle included 12 bulletins, four of which were rated by Redmond as "critical." ®