Microsoft issues urgent patch for critical Windows flaw

Microsoft today issued an emergency patch for a severe security hole in all supported versions of Windows Server which allows attackers to create administrator accounts and gain full access to systems.

Due to the severity of the flaw, Microsoft was forced to depart from its usual Patch Tuesday pattern of releasing security updates to push out the out-of-band patch.

The company urged Windows users to immediately install the patch, warning the vulnerability was already being exploited.

The update addresses the MS14-068 hole in the Windows Kerberos KBC component, which authenticates computers on a local network.

While less troublesome for home users, the bug is rated critical for server versions of Windows, posing a serious threat to businesses running any of the supported versions.

There are no workarounds identified by Microsoft for the vulnerability.

The flaw allows attackers to elevate domain user account privileges to that of the administrator account, giving them the ability to impersonate any account on the domain and compromise any computer or user on the network.

To exploit the vulnerability, the attacker would first need to have access to valid domain user credentials, Microsoft said.

The company said it was "aware of limited, targeted attacks that attempt to exploit this vulnerability."

According to Microsoft, the issue stems from a failure by the KDC implementations to "properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged".

The update is rated critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Microsoft is also offering the patch to Windows desktop versions for "additional defense-in-depth hardening that does not fix any known vulnerability," the company said. The bug does not affect Windows RT.