Microsoft Releases Out Of Band Kerberos Patch

Microsoft released an out of band patch today for all supported versions of Windows.  The patch fixes a privately reported bug in the Kerberos Key Distribution Center (KDC) protoccol.  If unpatched, it would allow an unauthorized user to execute an elevation of privilege attack.

“The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged,”

Microsoft says that limited attacks on Windows servers are already in the wild – hence the very unusual situation of releasing a patch out of band.

Assuming that the domain is infected, the only solution is to rebuild the domain from scratch.

Mitch Tanenbaum