Last week’s patches.
Some serious problems with MS14-066 (KB2992611), (the SChannel patch). This patch is reported to cause severe performance problems on SQL Server, problems with the Chrome browser communicating with IIS web servers, and disconnections of TLS 1.2 sessions during the key exchange process. There are also compatibility problems with IBM’s B2B Integrator and File Gateway.
Also problems with MS14-065 (KB3003057), which is this month’s cumulative security update for Internet Explorer. Problems include crashes of IE 11, inability to connect to the Internet after installing the patch, and incompatibilities with specific software including Epim and the IWebBrowser interface.
MS14-070 (KB2989935) is reported to cause unexpected behavior with Websphere Application Server. In most of these cases, uninstalling the patches fixes the problems.
Meanwhile, a new “out of band” patch was released. Patch releases outside of the regular Patch Tuesday schedule are relatively rare, and generally reserved for very severe zero day type vulnerabilities are that already being exploited or have been publicly disclosed and thus the risk of imminent exploit is high. This one is a little different, though. Last week’s release was unusual in that the Advance Notification the week before announced the impending release of 16 patches but on Patch Tuesday, only 14 updates appeared. Two numbers, MS14-068 and MS14-075, were deferred with the label “Release date to be determined.”
MS14-068 (KB3011780) was released today, November 18. The vulnerability that it addresses is rated critical and affects all currently supported versions of Windows Server – 2003, 2008/2008 R2, 2012/2012 R2 – but it was reported privately and the attacker has to have valid domain logon credentials to be able to exploit it.
MS14-068 addresses a checksum vulnerability in Kerberos Key Distribution Center (KDC) that, due to failure to properly validate signatures, can allow certain types of Kerberos service tickets to be forged. An attacker can use this to elevate privileges remotely, gaining domain administrator privileges with an unprivileged domain user account. The attacker would be able to impersonate any domain user and join any domain group. Obviously this would give the attacker full control over the domain.
Windows Server domain controllers that are set up to function as Kerberos KDCs should be patched as soon as possible. This includes server core installations. In addition to fixing the Kerberos vulnerability, the update also includes some additional defense-in-depth system hardening. For that reason, it should also be applied to Windows client systems – Vista, Windows 7 and Windows 8/8.1 – even though they are not at risk from the Kerberos vulnerability.
