From Craig Young, security researcher comments:
“Microsoft has released MS14-068 to describe a crypto failure within Microsoft’s Kerberos key distribution center (KDC) with the impact of allowing low-privileged domain users to gain administrative access to any computer in the domain including the domain controller.
The problem stems from a failure to properly validate cryptographic signatures on which allows certain aspects of a Kerberos service ticket to be forged. The vulnerability has already been used in limited attacks and should be considered a serious risk to enterprises using Kerberos KDC on a Windows domain.
Windows servers in affected environments should be patched at once to prevent exploitation. Administrators should also consider deploying the defense-in-depth changes issued for Microsoft’s desktop platforms to limit exposure to other vulnerabilities which may be lurking in the code.
Cryptography is hard and doing cryptography right is even harder. Over the years a variety of security flaws have been the result of signatures which do not authenticate all critical data or failure to properly validate signatures. Earlier this year several high-profile Bitcoin exchanges (including MtGox) learned this lesson the hard way when attackers managed to steal hundreds of millions if not billions of dollars through transaction malleability. This was made possible because attackers could change aspects of a transaction without affecting the signature thereby creating competing transactions which could both be cryptographically verified.”
From Tyler Reguly, manager of security research writes:
“Today, the first missing patch from Patch Tuesday was released -- MS14-068 fixes a Kerberos flaw. This just leaves us waiting for the identity of MS14-075.
It's interesting that this bulletin offers updates for all operating systems but there isn't a severity listed for desktop operating systems. When you read the note associated, only server side systems are affected by this vulnerability, the remaining operating systems are receiving defense-in-depth-updates. That should help prioritize patch installation for administrators everywhere.
Microsoft mentions that they are aware of limited, targeted attacks against this vulnerability but this is common in many of the bulletins we see issued, and they don't all receive out of band updates. It's odd to see Microsoft deviating from its normal OOB criteria and you have to wonder about the extent of these attacks and/or the severity of the issue.
If Microsoft begins to take this approach with every vulnerability that sees 'limited, targeted attacks', we may see an increase in the number of OOB updates and that could lead to patch anarchy. Let's hope that they only went ahead with this release because it had been pulled earlier, presumably due to QA issues.”