[10249] in Security FYI
[IS&T Security-FYI] Microsoft Security Bulletin MS14-068 - CRITICAL
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Wed Nov 19 09:24:36 2014
Resent-From: ist-security-fyi@mit.edu
From: Monique Buchanan <myeaton@mit.edu>
To: "IT Security Special Interest Group [Security SIG]" <security_sig@mit.edu>,
ist-security-fyi <ist-security-fyi@mit.edu>
Date: Wed, 19 Nov 2014 14:22:52 +0000
Message-ID: <45D67041-0B50-4C18-B427-A32095726F5F@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1926609517=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1926609517==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_45D670410B504C18B427A32095726F5Fmitedu_"
--_000_45D670410B504C18B427A32095726F5Fmitedu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Microsoft Security Bulletin MS14-068 - CRITICAL
https://technet.microsoft.com/en-us/library/security/MS14-068
Yesterday, November 18, Microsoft released update MS14-068 to address CVE-2=
014-6324, a Windows Kerberos implementation elevation of privilege vulnerab=
ility that is being exploited in-the-wild in limited, targeted attacks.
This security update resolves a privately reported vulnerability in Microso=
ft Windows Kerberos KDC that could allow an attacker to elevate unprivilege=
d domain user account privileges to those of the domain administrator accou=
nt. An attacker could use these elevated privileges to compromise any compu=
ter in the domain, including domain controllers. An attacker must have vali=
d domain credentials to exploit this vulnerability.
The affected component is available remotely to users who have standard use=
r accounts with domain credentials; this is not the case for users with loc=
al account credentials only. When this security bulletin was issued, Micros=
oft was aware of limited, targeted attacks that attempt to exploit this vul=
nerability.
The update is rated Critical for all supported editions of Windows Server 2=
003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and =
Windows Server 2012 R2. The update is also being provided on a defense-in-d=
epth basis for all supported editions of Windows Vista, Windows 7, Windows =
8, and Windows 8.1.
See also:
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-ab=
out-cve-2014-6324.aspx
Sincerely,
Monique
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
Please note I work from home on Fridays.
--_000_45D670410B504C18B427A32095726F5Fmitedu_
Content-Type: text/html; charset="us-ascii"
Content-ID: <AEAAB75B7B225141B457170E96516C7F@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;" class=3D"">
<div class=3D""><font face=3D"Avenir-Book" class=3D"">Microsoft Security Bu=
lletin MS14-068 - CRITICAL</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D""><br class=3D"">
</font></div>
<div class=3D""><a href=3D"https://technet.microsoft.com/en-us/library/secu=
rity/MS14-068" class=3D"">https://technet.microsoft.com/en-us/library/secur=
ity/MS14-068</a></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D""><br class=3D"">
</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D"">Yesterday, November 1=
8, Microsoft released update MS14-068 to address CVE-2014-6324, a Windows K=
erberos implementation elevation of privilege vulnerability that is being e=
xploited in-the-wild in limited, targeted
attacks.</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D""><br class=3D"">
</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D"">This security update =
resolves a privately reported vulnerability in Microsoft Windows Kerberos K=
DC that could allow an attacker to elevate unprivileged domain user account=
privileges to those of the domain administrator
account. An attacker could use these elevated privileges to compromise any=
computer in the domain, including domain controllers. An attacker must hav=
e valid domain credentials to exploit this vulnerability. </font></div=
>
<div class=3D""><font face=3D"Avenir-Book" class=3D""><br class=3D"">
</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D"">The affected componen=
t is available remotely to users who have standard user accounts with domai=
n credentials; this is not the case for users with local account credential=
s only. When this security bulletin was
issued, Microsoft was aware of limited, targeted attacks that attempt to e=
xploit this vulnerability.</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D""><br class=3D"">
</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D"">The update is rated C=
ritical for all supported editions of Windows Server 2003, Windows Server 2=
008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R=
2. The update is also being provided on
a defense-in-depth basis for all supported editions of </font><span s=
tyle=3D"font-family: Avenir-Book;" class=3D"">Windows Vista, Windows 7, Win=
dows 8, and Windows 8.1.</span></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D""><br class=3D"">
</font></div>
<div class=3D""><font face=3D"Avenir-Book" class=3D"">See also:</font></div=
>
<div class=3D""><a href=3D"http://blogs.technet.com/b/srd/archive/2014/11/1=
8/additional-information-about-cve-2014-6324.aspx" class=3D"">http://blogs.=
technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-=
6324.aspx</a></div>
<div apple-content-edited=3D"true" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); font-family: Avenir; font-style: normal;=
font-variant: normal; font-weight: normal; letter-spacing: normal; line-he=
ight: normal; orphans: auto; text-align: start; text-indent: 0px; text-tran=
sform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-=
text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -w=
ebkit-line-break: after-white-space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;" class=3D"">
<div style=3D"color: rgb(0, 0, 0); font-family: Avenir; font-style: normal;=
font-variant: normal; font-weight: normal; letter-spacing: normal; line-he=
ight: normal; orphans: auto; text-align: start; text-indent: 0px; text-tran=
sform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-=
text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -w=
ebkit-line-break: after-white-space;" class=3D"">
<br class=3D"">
Sincerely,</div>
<div style=3D"color: rgb(0, 0, 0); font-family: Avenir; font-style: normal;=
font-variant: normal; font-weight: normal; letter-spacing: normal; line-he=
ight: normal; orphans: auto; text-align: start; text-indent: 0px; text-tran=
sform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-=
text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -w=
ebkit-line-break: after-white-space;" class=3D"">
<br class=3D"">
Monique<br class=3D"">
<br class=3D"">
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<br class=3D"">
Monique Buchanan<br class=3D"">
IT Security Communications Coordinator<br class=3D"">
Information Systems & Technology (IS&T)<br class=3D"">
Massachusetts Institute of Technology<br class=3D"">
<a href=3D"http://ist.mit.edu/secure" class=3D"">http://ist.mit.edu/secure<=
/a><br class=3D"">
tel: 617.253.2715</div>
<div style=3D"font-size: 14px; color: rgb(0, 0, 0); font-family: Avenir; fo=
nt-style: normal; font-variant: normal; font-weight: normal; letter-spacing=
: normal; line-height: normal; orphans: auto; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbs=
p-mode: space; -webkit-line-break: after-white-space;" class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; color: rgb(0, 0, 0); font-family: Avenir; fo=
nt-style: normal; font-variant: normal; font-weight: normal; letter-spacing=
: normal; line-height: normal; orphans: auto; text-align: start; text-inden=
t: 0px; text-transform: none; white-space: normal; widows: auto; word-spaci=
ng: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbs=
p-mode: space; -webkit-line-break: after-white-space;" class=3D"">
Please note I work from home on Fridays.</div>
<br class=3D"Apple-interchange-newline">
</div>
</div>
</div>
<br class=3D"">
</div>
<br class=3D"Apple-interchange-newline">
</div>
<br class=3D"Apple-interchange-newline">
<br class=3D"Apple-interchange-newline">
</div>
<br class=3D"">
</body>
</html>
--_000_45D670410B504C18B427A32095726F5Fmitedu_--
--===============1926609517==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1926609517==--
