Microsoft released fourteen security bulletins last week on this month's patch day. If you read the patch notes or our summary, you may have noticed that two bulletins were mentioned but not released on that day.
It is unclear why the two bulletins were listed by Microsoft but not released on the day. One explanation for this is that the company needed more time to create patches for affected systems.
The first of the two, MS14-068, will be released later today. To be precise, Microsoft will make the patch available via Windows Update on November 18, 2014 at around 10 a.m. PST.
The company published an advanced notification for the patch which does not reveal all the details yet.
What we know is the following:
If you check the affected operating systems, you will notice that all server systems are affected critically while client systems are not affected by it at all.
Client systems are listed on the page as well but Microsoft notes that the vulnerability addressed in the bulletin is not present in client systems.
The reason why they are listed on the page is that the update "provides additional defense-in-depth" hardening instead.
This means that the update will be made available for all client and server operating systems that Microsoft supports currently.
Microsoft plans to release an update to the company's own Windows Malicious Software Removal Tool as well. It is unclear right now if the update will be made available at the same time or at a later point in time.
This article will be updated with additional information once the full bulletin becomes available.
Update: Microsoft published the bulletin a moment ago.
MS14-068 - Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - critical - Elevation of Privilege
This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
If you like our content, and would like to help, please consider making a contribution: