Microsoft releases out-of-band critical security patch MS14-068 today - gHacks Tech News

Microsoft releases out-of-band critical security patch MS14-068 today

Microsoft released fourteen security bulletins last week on this month's patch day. If you read the patch notes or our summary, you may have noticed that two bulletins were mentioned but not released on that day.

It is unclear why the two bulletins were listed by Microsoft but not released on the day. One explanation for this is that the company needed more time to create patches for affected systems.

The first of the two, MS14-068, will be released later today.  To be precise, Microsoft will make the patch available via Windows Update on November 18, 2014 at around 10 a.m. PST.

The company published an advanced notification for the patch which does not reveal all the details yet.

What we know is the following:

  1. The bulletin ID is MS14-068.
  2. The bulletin has a severity rating of critical.
  3. The vulnerability impact is elevation of privilege.
  4. The security vulnerability affects only Windows Server systems and not client systems.
  5. Windows 10 Technical Preview and Windows 10 Server Technical Preview are affected.

If you check the affected operating systems, you will notice that all server systems are affected critically while client systems are not affected by it at all.

Client systems are listed on the page as well but Microsoft notes that the vulnerability addressed in the bulletin is not present in client systems.

ms14-068 windows patch

The reason why they are listed on the page is that the update "provides additional defense-in-depth" hardening instead.

This means that the update will be made available for all client and server operating systems that Microsoft supports currently.

Microsoft plans to release an update to the company's own Windows Malicious Software Removal Tool as well. It is unclear right now if the update will be made available at the same time or at a later point in time.

This article will be updated with additional information once the full bulletin becomes available.

Update: Microsoft published the bulletin a moment ago.

MS14-068 - Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - critical - Elevation of Privilege

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

Summary
Article Name
Microsoft releases out-of-band critical security patch MS14-068 today
Description
Microsoft will release a security update for Windows client and server systems later today. The update fixes a critical vulnerability in server systems.
Author

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Jacques said on November 18, 2014 at 9:08 pm
    Reply

    Hi Martin
    Could you write something on KB3000850 please

    1. Zlip said on November 18, 2014 at 9:13 pm
      Reply

      This update rollup includes the following new features and improvements:
      – Refreshed language packs
      – Defence-in-depth security and Schannel hardening
      – Support for newer hardware (boot order allowance, SD card improvements, USB debugging)
      – Improved Web Services for Devices (WSD) printer support during network switches
      – Performance and reliability improvements in clustered virtual machine mission-critical environments
      – Improved manageability
      – Additional hardware support (devices that have third-party disk encryption software enabled can now be upgraded to Windows 8.1 more easily)

      1. Martin Brinkmann said on November 18, 2014 at 9:49 pm
        Reply

        Thanks ;)

  2. Bradshaw said on November 18, 2014 at 11:08 pm
    Reply

    These constant “critical/important” Windows updates are quite annoying — are they really “all” that urgent for average Windows client users ?

    {and Microsoft has buffooned several updates lately}

    Some scattered web advice indicates many Windows updates are urgent only if you use Internet Explorer (IE), especially with javascript & Activex enabled; otherwise many (suddenly discovered) Windows vulnerabilities become less urgent issues (?)

    Is there any website that explains these monthly Windows updates in plain (non-technical) language, expressing a clear, independent opinion of their actual “urgency” for various classes of Windows users ?

  3. Peter (NL) said on November 18, 2014 at 11:10 pm
    Reply

    724 MB update ….. I am always surprised that this kind of updates are shown under “Optional Updates”… Microsoft strongly recommends to install this update KB3000850. I wonder what ‘improved manageability’ does mean for the Windows user.

  4. Ronald said on November 19, 2014 at 5:53 am
    Reply

    BEWARE Update MS14-068 trashed my computer (HP ProBook 455 G1). After applying patch, computer hung on restart. Attempts to repair with Windows System Recovery Disc and HP Recovery Disc failed.

    In the end, had to restore from a system image backup.

    Speculation: the full disc encryption with HP security software is what caused the patch to be destructive (an error message contained the word “boot”). If Microsoft did not test the patch on such systems it is shameful.

    How can I permanently block this patch from being notified to my machine? I’ve already changed the Update setting from “automatic” to “notify but do not install automatically”. But I’d like it to be permanently excluded so that I won’t accidentally click on “Yes, install” one day.

    1. Hy said on November 19, 2014 at 2:38 pm
      Reply

      To permanently block an update, I think that you can open the Windows Update window from Control Panel and then right-click the update you no longer wish to receive notifications about and choose “Hide update.” If necessary confirm this if a UAC prompt opens, then click “OK” at the bottom of the Windows Update window. This works for me. Good luck!

  5. Omar C said on November 19, 2014 at 5:54 am
    Reply

    Anyone having problems with this security update? I have the dreaded msimg32.dll missing file message after reboot. I cannot open any third party applications.

  6. Dwight Stegall said on November 19, 2014 at 12:36 pm
    Reply

    Why are Windows 8.1 updates 10 times slower than Windows 7?

  7. Robert Palmar said on November 21, 2014 at 3:11 am
    Reply

    This update did slow my Windows 8.1 to a crawl.
    System Restore did solve the issue removing
    the update along with any harm it made.

    I have since hidden the update.

    My system is set to download updates
    for manual install at my discretion
    and having good luck so far
    I wrongly installed this.

    I suspect this update will get
    reworked and then re-released.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.