Microsoft “tops up” Patch Tuesday, issues delayed fix for zero-day hole in logon security

Microsoft has issued a “top up” security bulletin for a fix that didn’t quite make it into the November 2014 Patch Tuesday.

Originally, Redmond pre-announced 16 bulletins for the month, but two of them slipped.

In the past, patches that didn’t get through final testing in time were not only withdrawn, but had their pre-assigned bulletin numbers withdrawn, too.

When the patches came out later, they’d be tacked onto the end of the list, thus keeping chronological and numerical order in line.

This time, however, MS14-068 and MS14-075 were pulled but left in the list with the annotation “Release date to be determined.”

MS14-075, which word on the street says is a bug fix for Exchange, is still in the “to be determined” bucket. [2014-11-19T09:30Z]

MS14-068 is the one that just came out, and even though it isn’t a remote code execution flaw, it’s nevertheless rated Critical, and here’s why.

Critical hole

The MS14-068 bug is in the Kerberos Key Distribution Center (KDC), a vital service that runs on Windows Active Directory domain controllers to deal with logon security.

We shan’t try to explain Kerberos here, other than to say that it’s a cryptographic “ticketing” system that hands out session keys as part of the logon process.

Kerberos tickets are a bit like hotel room keys that are encoded at the front desk after a security check, and then handed over to give you access, for a limited period, to specific parts of the building.

So, if there’s a security flaw in KDC, the best-of-the-worst outcome you could hope for is some kind of Elevation of Privilege (EoP) or Security Bypass bug, either of which would allow an attacker to acquire access rights they shouldn’t have.

The MS14-068 bug is an EoP: it pretty much lets anyone who can logon to your domain at all, even as the most junior sort of user, to turn themselves into a domain administrator, the most powerful force in a Windows network.

That’s like a guest with an access card for an overnight stay in Room 1337 being able to transform his card into an access-all-areas-at-all-times skeleton key.

Worse still, MS14-068 is not a privately disclosed hole.

That means the Bad Guys got there first.

Microsoft reports, in the strangely euphemistic terminology you’ve probably learned to associate with bad security news, that it “was aware of limited, targeted attacks that attempt to exploit this vulnerability.”

→ The words “was aware” are a strange choice. Presumably, Microsoft hasn’t lost its awareness and still is aware of the issue, so let’s hope it really means “we saw some attacks, but they seem to have stopped.” Also, although the words “attempt to exploit” stop short of confirming that the attacks actually succeeded, they don’t explicitly deny it, either.

The bottom line

If we assume the worst:

  • This is a zero-day vulnerability, because the crooks had working exploits before the patches came out.
  • Anyone who can logon to an unpatched network can, in theory, be a domain administrator if they want.
  • This bug affects all supported Windows Server versions, including Server Core.

Microsoft has issued patches for all Windows flavours, including desktop versions that aren’t directly at risk because they aren’t Active Directory domain controllers and don’t have the offending Kerberos services running.

As for “why did Microsoft patch everything, just in case,” the best answer we can think of is, “Because it could.”

Patching “just in case” is a bit like encrypting everything, even files that aren’t confidential, on the grounds that then you don’t have to worry whether you left anything out.

We say, “Do it today!”

Image of “access all areas” card courtesy of Shutterstock.