Microsoft Emergency Update Fixes Flawed Windows Authentication Scheme

Microsoft issued an out-of-band security update Tuesday, repairing a critical Windows vulnerability being actively targeted that enables an attacker to gain administrative privileges on a Windows domain.

The security update fixes Microsoft Windows Kerberos KDC, the key store implementation that grants log-ins and permission requests on a Windows Server domain. The Key Distribution Center is a domain service that ties into Active Directory to grant authentication requests.

"An attacker that successfully exploited this vulnerability could impersonate any user on the domain, including domain administrators, and join any group. By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system," Microsoft said in its advisory.

[Related: Security Expert: One Week Or Less To Patch For Dangerous Microsoft Crypto Flaw]

Sponsored post

The update is rated critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. Vulnerability management experts said the update was apparently held back from Microsoft's Patch Tuesday round of updates Nov. 11, while engineers conducted further testing.

Microsoft may have learned of a negative side effect of the patch or some question about the completeness of the patch, said Ross Barrett, a senior engineering manager at Boston-based vulnerability management vendor Rapid7.

"Obviously because Microsoft is aware of 'limited targeted attacks' they were motivated to get the fix out as soon as possible, rather than wait for December. The mitigating factor here is that an attacker must have already authenticated as a valid domain user to exploit this vulnerability," Barrett said.

Meanwhile, attackers are also letting loose against a Windows vulnerability used in targeted attacks against individuals using Internet Explorer.

The object, linking and embedding (OLE) flaw in Windows was first used in a cyberespionage attack campaign. The attackers, identified as a Russian-based group called Sandworm, have targeted a variety of organizations in the U.S. and Europe. Only a day after Microsoft issued a patch fixing the vulnerability, a module exploiting it was released on the Metasploit penetration testing toolkit.

A successful exploit is targeting users of Internet Explorer 7, 8 and 9 in a drive-by attack campaign, according to NSS Labs, which issued a warning Tuesday. The OLE flaw impacts every version of Windows, including Windows 95 and Windows XP. The attack relies on Internet Explorer, which supports VBScript, a legacy scripting engine still supported by the browser.

Solution providers say organizations need to reassess their patching processes to ensure that updates issued by Microsoft and other software makers are adequately tested and deployed in a timely manner. Attackers are quick to reverse-engineer patches issued by software makers and rely on poor and inefficient patching processes that leave flaws open for weeks before they are addressed, said Jeremy MacBean, director of business development at IT Weapons, a Brampton, Ontario-based solution provider.

"This has been a busy month for patching admins," MacBean said in a recent interview. "If you are not proactively addressing security within your organization, your systems will be compromised; it's only a matter of time."

NSS Labs and security experts at other organizations are urging IT administrators to test and deploy patches repairing the vulnerability as soon as possible. The exploit bypasses all of the Microsoft protections, including data execution prevention (DEP), address space layout randomization (ASLR), and the Enhanced Mitigation Experience Toolkit (EMET), NSS Labs said.

The attack uses JavaScript to identify whether the website visitor is using a PC containing the vulnerability. Once a successful exploit is carried out, the attackers drop malware on the victim's machine.

The Sandworm group used malicious PowerPoint and other Office file attachments to exploit the flaw in its campaign.

Security experts expected the OLE Windows vulnerability would eventually be widely targeted by cybercriminals as well as a flawed Windows SSL crypto implementation. Both critical bulletins were released as part of Microsoft's November round of security updates.

The SSL crypto implementation, calls Secure Channel or Schannel in Windows, addresses SSL and TLS authentication used in browsing sessions. The flaw enables attackers to exploit it remotely and eavesdrop on sensitive traffic or run malicious code on a server.