Microsoft Releases Out-of-Band Security Patch For Windows

mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.

Better go kick WSUS into a sync...

[MachineShedFred]

I love nothing better than starting out my Tuesday with rebooting every Windows box...

Re:Better go kick WSUS into a sync...

[DigiShaman]

Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)

Re:Better go kick WSUS into a sync...

[Richard_at_work]

If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?

Re:Better go kick WSUS into a sync...

[Tiger4]

Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.

Re:Better go kick WSUS into a sync...

Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)

Hell of a maintenance policy you got there. Good luck keeping your job when your next "whoops" results in a server that won't start back up properly.

Re:Better go kick WSUS into a sync...

[mysidia]

There has already been one major compatibility bug in the patch for MS14-066 released November 11, where you update your IIS server to fix the SSL remote code exec bug, and Chrome browsers stop working..

Furthermore, there were several botched updates in October.

Windows 7 blue screens with a patch in September

I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.

Re:Better go kick WSUS into a sync...

[bill_mcgonigle]

If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?

If only security were so binary - in the real world it's a constant process of risk/reward calculations.

Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.

Re:Better go kick WSUS into a sync...

[DigiShaman]

Damned if you do, damned if you don't. Welcome to IT.

Re:Better go kick WSUS into a sync...

[afidel]

Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.

Re:Better go kick WSUS into a sync...

[WaffleMonster]

I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.

Having recently "downsized" their QA staff testing work has been outsourced to paying customers.

When they say they will release a patch 10 AM PST this represents the time they will have managed to get it to compile.

Re:Better go kick WSUS into a sync...

[DigiShaman]

THIS! Richard obviously works in a nice posh fortune 500 org where such resources are available to HIM. Meanwhile back int he real world for everyone else (Small Medium Business), rolling the dice is only option. As you said, it's all a risk/reward calculation as to when and where to be proactive with the expendature of resources.

I find the lambasting of "should do this retard" to be quite insulting. As employees, we don't always get that option to do what is theoretically in the best interests of the company we work for.

Re:Better go kick WSUS into a sync...

[jfbilodeau]

Damned if you do, damned if you don't. Welcome to Windows.

FTFY ;)

Re:Better go kick WSUS into a sync...

[CaptainDork]

We don't keep files on people's feet.

Re:Better go kick WSUS into a sync...

[Opportunist]

OTOH, if one of your dufus users clicks on some crap and infests the network with the latest and greatest threat since ILY you get whacked as well, after all there WAS a patch out and why the hell didn't you install it?

Re:Better go kick WSUS into a sync...

Exactly. I don't have a fucking QA division. I install the updates.

Re:Better go kick WSUS into a sync...

Microsoft is a joke, they don't even tell you what the vulnerability is. Closed patches to a closed operating system developed in a closed environment in a closed building with closed bank accounts. It's fuckng stupid.
Here's another one for you...
http://blog.beyondtrust.com/triggering-ms14-066
When are all you idiots going to switch from Microsoft to BSD or Linux?
Microsoft is a joke.

Re:Better go kick WSUS into a sync...

yeah cos there's been no major security bugs in open source projects this... oh wait.

Re:Better go kick WSUS into a sync...

[MacTO]

Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?

It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.

(We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)

Re:Better go kick WSUS into a sync...

[sexconker]

Any worthwhile testing would take weeks to perform.
Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).

Here's the testing you need to do in the real world:
Install all the patches on your machine.
Reboot.
Launch IE, FF, Chrome, Outlook, Word, and Excel.
Launch any applications mentioned in the bulletin.
If nothing crashed, deploy the patch to everyone.
If something crashed, search "Patch Tuesday Breaks " and look for recent shit.

Re:Better go kick WSUS into a sync...

[mlts]

That applies to all operating systems. When it comes to production, three things apply: Has the patch been tested in an environment as close to what the field is like, can it be applied without much downtime, and is there a way to back it out without causing major headaches.

This is one reason I like virtualization with clusters [1]. If a patch does make it past testing and fouls up a production VM, I'm a snapshot away from going back to a working machine. This isn't a magic bullet solution, but it does help, and there is software which can sit atop the virtualization platform to catch intrusions and automatically roll boxes back to a working snapshot (perhaps taking a snapshot of the hacked VM for forensic purposes.)

[1]: VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V.

Re:Better go kick WSUS into a sync...

[MachineShedFred]

I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?

I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.

Re:Better go kick WSUS into a sync...

[bill_mcgonigle]

in a nice posh fortune 500 org where such resources are available to HIM

In many cases this can be true, but consider a case where there's a zero-day in the MS TLS implementation. The only possible thing that can be done here is to have a pre-existing TLS interception mechanism deployed (local CA root on workstations with on-the-fly cert regeneration on the proxy) and have that be on a non-MS platform.

Even if that's a good idea, many F500 companies won't have that deployed, much less the F50000.

There are some situations where not only is extensive testing not possible, it's the stupid decision. I realize many corp-o-drones have CYA policies to hide behind while they make bad decisions, but I still would not want to be the guy who followed policy and got his internal network completely infested.

Re:Better go kick WSUS into a sync...

[MachineShedFred]

Well, for one thing, it was meant to be kind of funny.

Second: I really only have to look after a handful of Windows servers, because we do 90% of everything on Linux.

Third: it's all VMs, and we have snapshots. If something breaks, we disable the patch and roll back. Oh, that was hard.

Re:Better go kick WSUS into a sync...

Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug

Inadequate testing and informing of IIS and Chrome users is a problem, though. As is the fact they didn't adequately inform people about the new feature of new ciphers which would have more quickly resolved possible workarounds developed by MS, Google, or the populace at large. So, the bug isn't in the changes to the code. But it's definitely in the information provided that didn't warn and inform about compatibility issues.

Re:Better go kick WSUS into a sync...

[fahrbot-bot]

I still would not want to be the guy who followed policy and got his internal network completely infested.

Ya, but you've already got Windows systems on your network ... :-)

Re:Better go kick WSUS into a sync...

[Richard_at_work]

If we can do this in a 250 employee company (and have done it since we had more than a handful of users), anyone can do it. And what, precisely, do you need in way of resources - select a subset of computers, roll out the patch, if nothing bad has happened after a working day, roll the patch out to the next batch and so on.

If you are "rolling the dice" then you are a fucking pathetic sysadmin and should be banned from being responsible for patching anything.

Re:Better go kick WSUS into a sync...

The only people that use Chrome are pedophiles, so that's a good thing.

Oh, I use crome... Always wondered if I was a pedophile.... Now I knows.... Hey, what'sa pedophile anyway?

Re:Better go kick WSUS into a sync...

[DigiShaman]

Richard, I've lost clients because because these clients were 10+ employees or less running off a single Windows SBS box. It wasn't us. It was the fact IT was just too expensive in general. Running a business, especially a small was is exceedingly risky. They should be so lucky to afford rolling the dice ALONE! Many small business will just adhere to a BYOD policy with a NAS purchased from Best Buy. Yeah, good luck when Cryptolocker pulls you into bankruptcy.

Risk assessment; learn it, love it, above all else, accept it! Can't stand the heat? Get out of the kitchen!

BTW; you can't really duplicate an SBS box as it holds all the FSMO roles in addition to P2V testing being optional if they spend the time as a billable activity (assuming you can P2V with enough physical resources).

Re:Better go kick WSUS into a sync...

[LordLimecat]

VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V

This is not correct.

VMWare' Fault Tolerance is indeed limited, but it has nothing to do with the ability to restart a VM on a dead host. FT prevents a machine from ever going down in the first place by keeping 2 identical VMs on 2 different hosts in sync, CPU state and all.

High Availability is the feature you refer to regarding rebooting a downed VM, and it has no vCPU restrictions.

Re:Better go kick WSUS into a sync...

[MightyYar]

It's a file format created by Acrobat.

Re:Better go kick WSUS into a sync...

It was pretty smart of you to make your stupid post as an AC. It's always a hoot when idiots like you call reality-based people "idiots."

Re:Better go kick WSUS into a sync...

Ok that is great, but in this case it means that tomorrow anyone in you company can be Administrator.
Good day!

Re:Better go kick WSUS into a sync...

I worked for a company that had only two time windows for outages--Thanksgiving day and Christmas day. We ran our call center on 12 servers. New patches came out every two weeks from the OS publishers. I ran these as "emergency" issues for one whole year. It was a pain but because we load-balanced the 12 call center servers, I could patch and bounce one at a time. At the end of the year, I told management that we could have outages at other times than Thanksgiving and Christmas. They were pissed at what I did. They never changed their policy but I changed mine. New job that was more reasonable in practices and in pay.

Re:Better go kick WSUS into a sync...

[master_kaos]

Same here. I am the QA IT And development division. Every PC belongs to an employee. I don't have an isolated network. We only a 10 person company, but a lot of companies rely on us to have high uptime. I do the best I can do (creating images before updates, etc), but at the end of the day got to throw the dice and hope it doesn't end up snake eyes as it still takes time to recover..

Re:Better go kick WSUS into a sync...

[f3rret]

Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)

Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)

Import-module activedirectory
$ComputerNames = Get-ADcomputer -searchbase (DN of you server/workstation OU here) -filter * | Select-object -expandproperty name

ForEach($ComputerName in $ComputerNames)
{
      Restart-computer -force $ComputerName
}

Have the nightshift guy run that from a machine that the workstations/servers will accept WMI calls from and then have him feel like a wizard as every computer under the OU magically reboots.

Re:Better go kick WSUS into a sync...

[Ravaldy]

You can reboot the server during work hours?

Re:Better go kick WSUS into a sync...

Sounds like you might be happier working for a company that's a little further from death next time around.

Re:Better go kick WSUS into a sync...

[Darinbob]

I love running around like a headless chicken. It's my best joke at work and lightens up the dull meetings.

On that note, let's have a quiet remembrance in honor of Mike the Headless Chicken.

Re:Better go kick WSUS into a sync...

in addition, fault tolerance inVMware version 6 will be up to 4 vCPU

Re:Better go kick WSUS into a sync...

[StikyPad]

To be fair, most updates of OS X have required a reboot as well. I'm in the process of installing 10.10.1 right now, and will have to reboot momentarily. There are probably more patches for Windows, but on its own, I'm not sure whether that statistic is objectively bad.

Re:Better go kick WSUS into a sync...

HA!

I work for a fairly large news organisation (although certainly not near Murdoch's empire in size).

The IT manager, who is an MBA with an engineering degree, is a completely incompetent boob. Can't run things worth a damn, just likes to say "Do it!" and then notes in his books that "It was done."

He ordered more than a year's worth of patches be applied to one machine without testing them and then, when it went down, he had his minimum wage staff to blame. Not the IT staff, but the minimum wage staff.

This guy shouldn't be in charge of an ice cream store (he'd eat all the product anyway).

Re:Better go kick WSUS into a sync...

10.10.1 is a major update, including many kernel extensions, and the kernel itself.

Re: Better go kick WSUS into a sync...

About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.

Re:Better go kick WSUS into a sync...

[Bite+The+Pillow]

A lot of this is historical. IE is baked into the shell, so the shell files can't be updated while a user is logged in. These ties have been broken lately, but not completely. It's not the architecture of Windows, but rather the need to keep up appearances despite most people knowing better. And the architecture of the web browser of course.

Windows itself relies on having a lot of shared libraries, known as ".dll files". They can't possibly be patched if they are in use.

Oh wait. Forgive me for not knowing the details off hand, but there is a preamble they emit in the assembly solely for the purposes of hotfixing. If they need to insert a call, do things, return, they have space for it. So they can patch all of the processes that loaded the library without restarting. It's something like MOV EAX,EAX or something else obviously without purpose (yes, not followed by a flag test).

Anyway, the expectation of the users is probably why restarts are needed. If a service should be running, then users expect it to be running. If it is needed for some reason, like antivirus, then it is needed. Considering that Windows hosts the biggest money-making and proprietary software, the general expectation is that a service will be running when it needs to be running.

Sure, tell me about how something crashed et cetera, but the software runs how it is expected to run as a matter of course and with some exception. In the world of Microsoft, this benefits the user. In the world of Linux, other attributes help the user.

TL;DR the architecture is only a small part. Use case and audience seem to be the defining factor.

Re:Better go kick WSUS into a sync...

[sexconker]

Importing modules? Multiple lines? Can't be run from a standard command prompt? Ugh.

FOR /F "usebackq tokens=1 skip=3" %A IN (`net view /domain:domain`) DO IF [%A] NEQ [The] shutdown /r /t 0 /d p:2:18 /m %A

Re:Better go kick WSUS into a sync...

[Trogre]

I think you might mean NT there...

Re:Better go kick WSUS into a sync...

[mysidia]

As I understand it they introduced changes independent of the security fix, and the non-fix-related feature additions caused the problem.

They shouldn't have rolled new features in the same patch, BUT if they did, they should have included common software used by more than 10% of windows systems in their test cases and basic functionality such as HTTPS compatibility.

Re:Better go kick WSUS into a sync...

You realize the MS066 patch *added* cipher algorithms to the existing ones, right?

Re:Better go kick WSUS into a sync...

[hairyfeet]

Correct me if I'm wrong but don't you have to be using the 32bit powerpoint to be affected by this? If so my users don't have to worry, switched them to 64bit a few years back.

Re:Better go kick WSUS into a sync...

[unitron]

...

Having recently "downsized" their QA staff testing work has been outsourced to paying customers.

...

Are you kidding? This is Microsoft, that's always been the function of the paying customers.

Or are you saying they've been promoted from beta to alpha testing?

Re: Better go kick WSUS into a sync...

[lgw]

About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.

SAP? SQL? Party like it's 1999! For me, having it matter whether any given server suddenly fails would be a career limiting move. We push-restart patches to services every week or two, and if that affects a customer in any way TSHTF.

Re:Better go kick WSUS into a sync...

[MachineShedFred]

the general expectation is that a service will be running when it needs to be running.

And this expectation can be filled with something like Apple's launchd (open source) which has the ability to spawn or respawn jobs on demand; or monitor them and reload them if they die, throttled in case of crash.

So, patch the files, then kill the process. launchd then respawns it. Downtime? Less than a second. No reboot needed. The user can be notified by a box saying "The patch has been installed successfully" with a big green check mark.

Re: Better go kick WSUS into a sync...

[sexconker]

About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.

SAP? SQL? Party like it's 1999! For me, having it matter whether any given server suddenly fails would be a career limiting move. We push-restart patches to services every week or two, and if that affects a customer in any way TSHTF.

You're a dumbass if you think SAP and SQL are relics.

Further, you're a dumbass if you think redundancy, load balancing, etc. solve the problem. They add reliability to the replicated services by moving the single point of failure out to a different box (the load balancer, the VM server, the border switch, the ISP, or even all the way out to DNS) while adding complexity and cost and increasing the impact should the new single point of failure fail.

Further, they intrinsically impact customers by providing different data to different customers until shit syncs up and cascades throughout all the hosts. This isn't done with magic or tachyons - it takes time. This is why we have transactions and brokers in SQL. This is why distributed and replicated systems spend so much effort trying to make sure their clocks are synced up.
Redundancy is nice when you need to manage those services, but it doesn't solve the inherent problem. Nothing can. When a user wants X, they can't get X if is X down. They can get Y, which may or not be the same as X at the given time.

Anything handling critical transactions is redundant in exactly the opposite way from what you describe. Redundant, hot-swappable power, network, CPUs, RAM, storage, etc. for a single instance that is the arbiter of transactions from many sources. Mainframes are still around because we solved this fucking problem decades ago. Your approach is the cloud approach - make services redundant and push the single point of failure out. When in normal operation, different users get different shit at the same time - you simply can't use this model for critical transactions. When (not if) shit fails, shit fails hard. Hell, Azure just went out.

Re:Better go kick WSUS into a sync...

[david_thornley]

On real operating systems, you can patch files while they're in use. If that doesn't work in Windows, that's a Windows problem, and an architecture issue.

Re: Better go kick WSUS into a sync...

[lgw]

I help develop and operate a service that makes a hefty sum by doing all those things you deride, implementation-wise. It all works quite well - well enough that if routing patching causes any customer-visible disruption, you're in for extensive analysis, paperwork, and perhaps ritual abasement before an angry VP.

Yes, yes, there are many technical problems involved with consuming "eventual consistency". In the 20th century these problems were seen as blocking, and anyway just buy a bigger DB server. But the 20th century was along time ago, and while there's still a need for a transactional store, most problems can be solved without one, given sufficient thought - and at sufficient scale, it's really worth figuring out how.

Not that safe patching is incompatible with SQL, of course. In my last job we routinely pushed patches to farms of many thousands of SQL servers, and again if there was any disruption visible to the mid-tier, important people would become seriously angry about that, and we didn't use fancy servers, beyond RAID controllers (and even that concession I abhorred). It's always safe for a single server to fail, or be rebooted for maintenance, and if two servers holding your primary copies of the same data should fail, you better have taken serious, well-reviewed steps in planning to limit the number of DBs affected and the minutes of data lost and the minutes until you're back up.

And even that, which was a nice system, feels outdated now that Amazon went and announced this, which productizes the modern SQL DB and wraps it up in a pretty bow. /jealous

XP as well?

[mrspoonsi]

I guess so, as Server 2003 is from a similar era.

Re:XP as well?

[smooth+wombat]

Since it's not listed this would mean XP is safer than W7 or W8.

Hazzah!

Re:XP as well?

[rescendent]

Except reading the patch note, while Windows Vista, Windows 7, Windows 8 and Windows 8.1, Windows RT and Windows RT 8.1 are listed its to say they are not affected.

So its a patch for the server products.

Re:XP as well?

You are partially (mostly) correct. There is a patch for the client side too, however it is not rated with any security rating because although the bad code exists on client as well there is currently no known way to activate that code as it is only exposed in server scenarios. They will patch it just for good code maintenance - but no known vulnerability on client. As far as the GP asking about XP - XP is out of support and doesn't get patches.

Re:XP as well?

[NJRoadfan]

As far as the GP asking about XP - XP is out of support and doesn't get patches.

But Windows Embedded POSReady 2009 does. ;) I wonder if they have been keeping up with security patches, particularly the OLE one.

Re:XP as well?

It's not listed because windows Xp is now Xpired. No longer supported and server 2003 is still in support until July 14, 2015. At this point you use XP at your own risk. Keep good backups and hope that your virus vendor continues to support it.

Re:XP as well?

[tverbeek]

No, it just means that MS isn't issuing a patch for XP. At least not exactly. They have released a patch today "for WEPOS and POSReady 2009", which is the branding given to the point-of-sale variant of Windows XP, which Microsoft still offers support for. There's a registry hack that makes Windows XP identifiy itself as Windows POS [insert joke here] when contacting the MS Update servers, and machines running that variant will get the patch.

Or so I'm told. ;)

Erm... Ok

Thanks for the heads up... Though I assume those that use windows would have a pop up notification that would tell them the same thing.

Re:Erm... Ok

The pop up notification (and the accompanying system tray icon) was removed in Windows 8.

So...

[jellomizer]

With Apple continuing to make a more closed ecosystem. And Google sharing all your data in the world, with little interesting movement in Linux. Now Microsoft trying to be more open.
Should we be a bit more welcoming to Microsoft?

Re:So...

[just_another_sean]

Should we be a bit more welcoming to Microsoft?

No.

Re:So...

Yes.

Linux desktop is just a tumbleweed passing by with huge amount of bugs and lack of developers.

Apple is iOSifying everything and making silly lock-ins like removing third-party SSD TRIM support.

Meanwhile, Microsoft is bringing back the classic desktop, making Windows even faster and more secure, open sourcing lots of things, and bringing professional full-feature free tools like the Visual Studio Community edition. They also seem to listen to feedback now, looking at the changes being made to the free Windows 10 Technical Preview.

Re:So...

Who is this "we"?
 
And I'd actually be understanding of Apple becoming more closed considering that their last really big security issues was a piece of open source software. But considering I see no evidence that this is the case I'll dismiss you as a troll.

Re:So...

Apple is iOSifying everything and making silly lock-ins like removing third-party SSD TRIM support.

OS X has never had third-party SSD TRIM support to remove in the first place. There were third-party hacks to enable it which are now disabled by default in Yosemite - but can be re-enabled if you are determined to do so.

So yeah, it sucks that they don't support TRIM on 3rd party SSDs but this has been the case for quite a while.

Re:So...

5 minutes after the LAST Patch Tuesday, sure. Then I'll be happy to be nice to them.

Until then, not so much.

Re:So...

sounds like astroturfing to me, especially with the ac below singing harmony. was that you, by chance?

Re:So...

[McGruber]

Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?

Embrace, Extend, Extinguish.

What you view as "trying to be more open" strikes me as being "Embrace".

Re:So...

[Rob+Y.]

For the bazillionth time, Google is not "sharing all your data in the world". They are using your data in some very specific ways - and giving you free services in exchange. Those uses are relatively benign, as free internet services go, and they do not include sharing with any third parties.

Re:So...

No. Microsnotters can rot in hell.

Re:So...

[pigiron]

Mod this up.

Re:So...

[Alrescha]

"For the bazillionth time, Google is not "sharing all your data in the world".

Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.

Somehow, that doesn't make folks feel any better.

A.

Re:So...

Should we be a bit more welcoming to Microsoft?

No.

Your reply was insufficiently emphatic. That should read "Hell no."

Re:So...

[Obfuscant]

"For the bazillionth time, Google is not "sharing all your data in the world".

Technically, I think you are correct.

Yes, technically correct.

When my ISP decided to drop their own email services and start funneling all their customer's email through Gmail, it wasn't technically "all my data" that they handed over to Google to index and root around through, it was just the last four years of deleted email they got to play with. Yes, email I deleted four years ago showed up on Gmail. So, technically, because I have some other email accounts that don't go through that ISP, I mean didn't go through them, Google doesn't have ALL my data to share. Just a significantly large enough fraction of it.

Re:So...

[Rob+Y.]

You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest. But don't go claiming that they're sharing the info they have - they're not. Microsoft wants you to think they are - so they can get you to switch to MS services - where they will collect exactly the same data and do the same things with it.

Re:So...

With Apple continuing to make a more closed ecosystem. And Google sharing all your data in the world, with little interesting movement in Linux. Now Microsoft trying to be more open.
Should we be a bit more welcoming to Microsoft? ....Bightie, the zoos new Bengal Tiger hasn't eaten anyone, or even tried to eat anyone in over a month. Maybe his cage, should be like how we've found Microsoft lately...Now Microsoft trying to be more open.. So go ahead, open the cage just a wee bit, stick your hand in, and if that works, maybe put a leg or your head in, and if he doesn't move or appears asleep, just climb all the way in, and loudly slam that cage door shut behind you (enough to wake him), and then see what happens. Should be interesting. (Oh, and b.t.w., just following your suggestion 'trying to be more open').

Re:So...

[Obfuscant]

You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest.

My only option in the matter would have been to leave an ISP I've been using for more than a decade. And I didn't expect them to HAVE four years of deleted email on hand to give to Google, so I didn't know Google was going to get it all until WAY too late.

But don't go claiming that they're sharing the info they have - they're not.

Citation required.

Re:So...

[Bite+The+Pillow]

EEE is a cautionary tale, not a knee-jerk reaction.

Is openness somehow bad? Is having source code for more and more products somehow bad?

I am going to classify your comment as "I don't know what they are doing, therefore I am confused, therefore they confused me and are trying something sneaky". In other words you are an idiot.

Embrace is good, and we support that. Extend is when we start to throw red flags. Extinguish is what users should do at the Extend phase.

Put another way, if they never get to Extend, then what in the fucking shitpile are you and your positive moderators on about?

Re:So...

[Trogre]

Openness is not bad.
Microsoft's track record is bad.

Having source code for more and more products is not bad.
Microsoft's track record is bad.

Embrace is good.
Microsoft's track record is bad.

Someone who questions Microsoft's motives is not an idiot.
Microsoft's track record is bad.

"Out of band?"

[pigiron]

I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)

Re:"Out of band?"

[Wootery]

Seconded.

If I want to see people misuse computer terminology, there are plenty of TV shows full of it. (I'm not sure if I'm right in thinking that 24 started it.)

Re: "Out of band?"

24 didn't start it, but holy crap did they perfect it.

Re:"Out of band?"

maybe they meant to say that most people will never receive the update as their Windows receivers are not tuned in for it? Seems to be true for XP users at least :)

Re:"Out of band?"

[arth1]

Out of band means that it's not distributed through the normal channels; i.e. Windows Update.

This one is, so it's not out of band.
And it's also only for server products, not Windows 7/8/8.1/10.

But don't let that stop what /. now uses instead of editors from making a stupid headline.

Re:"Out of band?"

Also, why would I install a patch that allow privilege escalation? That seems like something I would like to avoid.

Re:"Out of band?"

[caseih]

Yes I agree. I was wondering if Microsoft was going to be shipping the patch to customers on tapes, or what.

Re:"Out of band?"

[Chris+Mattern]

Agreed. I read the headline and thought, "They're not offering it through Windows Update? How are people supposed to get it, or even know it exists?"

Re:"Out of band?"

[Opportunist]

This. Hand the man an insightful, because that's basically the problem.

I, too, was sitting here, knowing that MS is going to do something "out of schedule" and reading an update coming "out of band". For a moment I was worried that I might have missed something critical, then I said to myself "Wait. You read it on /., better check whether it's so or whether someone just wanted to use jargon to sound cool without knowing what the fuck they write about".

Re:"Out of band?"

[randm.ca]

For once Slashdot editors/submitters aren't to blame...the linked bulletin makes reference to it being out-of-band as well.

Re:"Out of band?"

[FrankDrebin]

They probably meant "out of cycle".

Re:"Out of band?"

The language was chosen on purpose. "Unscheduled patch" has a ring of "oh, crap" to it, while "out-of-band" allows them to sound like they are simply tuning something and are in total control. Perception management - lying without the overt lie.

Re:"Out of band?"

XP is dead, so of course anyone who's still using it shouldn't expect updates. It's just not relevant anymore.

You can't safely connect an XP machine to the Internet, and it would be a bit much to expect them to release updates just because a subset of users failed to update to Win 7 way back in 2009. It's doubtful that the people who were too cheap to move on to Win 7 or 8 are going to be willing to pay for extended support anyway, and while Bill Gates runs some charities, MS is not one of them. 5 years of continued support of XP after the release of Win 7 was generous enough.

Re:"Out of band?"

[pigiron]

It's far, far too late for anything out of Redmond to not have a ring of "oh, crap" to it.

Re:"Out of band?"

[rikkards]

Actually it is out of band as it was not originally scheduled to be out on Patch Tuesday but was added after the fact.
We have some MS guys in our office

Re:"Out of band?"

No. I think "out of band" is about right. Unscheduled doesn't fit. "Out of band" implies unnatural, and I'm pretty certain M$ end-of-life'd some of these operating systems. They aren't even products anymore. Providing warranty for a car past its warranty is not what car companies do. I got a recall notice from a car company a month ago for my 12 year old car that I purchased second hand. That is out-of-band too. It sure wasn't scheduled. I went to a car dealer I had never ever dealt with, and got work done for free. That is out-of-band. Unscheduled implies that there was a schedule and this breaks the pattern. But there is no schedule. Now from my days in Electronics Engineering: Out-of-band refers to activity outside of a defined telecommunications frequency band, or, metaphorically, outside some other kind of activity. It doesn't really apply directly in Computer Science. "Context Switch" applies, "Stack Frame" applies; even "Flag", "Semaphore" and "Spinlock", but not "Out of Band" unless you are referring to a CS kegger party that has gone on too long and the musicians have played their last set and went home, then the party is "Out of Band".

Not for Windows 8 or 8.1

[ifdef]

For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.

Am I looking at the wrong thing?

Re:Not for Windows 8 or 8.1

[jnik]

Same deal for 7.

Re:Not for Windows 8 or 8.1

Indeed, it doesn't affect Vista or Win7 either. It seems that only server OSes are affected. They are patching the desktop OSes just as a defense-in-depth measure.

dom

Re:Not for Windows 8 or 8.1

[TheCarp]

Well slightly confusing as it sounds like it IS for windows 8 and 8.1, but, its not critical on those platforms since the actual vulnerability is not present, but it still does make some changes.

This sounds to me like "an unrelated change we made in 8 made this, we think, unexploitable, but we are patching the error anyway, just in case". Not sure that is exactly correct, but that is how I interpret that.

Re:Not for Windows 8 or 8.1

"Critical" rating only seems to apply to their "server" OSs listed. When the details come out it will likely indicate the problem is with services provided by default with those but not with the "desktop" OSs.

Out of band?

[Chrisq]

In my book this means it will be sent by another channel compared to normal updates I can't see how this applies!

Re:Out of band?

[jones_supa]

Well, Patch Tuesday is the main channel, simple as that.

Re:Out of band?

[funwithBSD]

You will be getting a USB stick in the mail.

Don't worry... it is perfectly safe to insert into your server.

Re:Out of band?

[Chris+Mattern]

No, Patch Tuesday is the normal scheduled time. Windows Update is the main channel.

Re:Out of band?

[jones_supa]

But Patch Tuesday is a channel which frequency is about 30 days.

Re:Out of band?

Did you read the wikipedia article? Again classic examples are ^C on a serial or telnet session. You can't change how it is delivered, but you can change how it is processed. Out of band characters have priority over normal characters and the serial driver treats them differently. That is exactly what you are supposed to do with this update. Go back and re-read the description in Wikipedia...

Re:Out of band?

No the channel's period is 30 days.
The channel's frequency is about 0.000000386 Hertz

Re:Out of band?

[jones_supa]

Ah yes, that's true. :)

Re:Out of band?

[jones_supa]

That's just one interpretation, but yes, you are correct.

Re:Out of band?

"Patch Tuesday" is not a "channel" - it's a schedule. This is indeed a sloppy misuse of the term "out of band".

Does not Affect Vista, Windows 7, Windows 8, 8.1.

[Snake98]

Does not Affect Vista, Windows 7, Windows 8, 8.1. RTF when doing a summary. Affected Software Windows Operating System and Components
Windows Server 2003
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2003 Service Pack 2 (Critical)
Windows Server 2003 x64 Edition Service Pack 2 (Critical)
Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
Windows Vista
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows Vista Service Pack 2 (No severity rating)[1]
Windows Vista x64 Edition Service Pack 2
(No severity rating)[1]
Windows Server 2008
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
Windows 7 Bulletin Identifier MS14-068
Aggregate Severity Rating
None
Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
Windows Server 2008 R2 Bulletin Identifier MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
Windows 8 and Windows 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows 8 for 32-bit Systems
(No severity rating)[1]
Windows 8 for x64-based Systems (No severity rating)[1]
Windows 8.1 for 32-bit Systems
(No severity rating)[1]
Windows 8.1 for x64-based Systems (No severity rating)[1]
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier
MS14-068
Aggregate Severity Rating Critical
Windows Server 2012 (Critical)
Windows Server 2012 R2 (Critical)
Windows RT and Windows RT 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows RT
Not applicable
Windows RT 8.1
Not applicable
Server Core installation option
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
Windows Server 2012 (Server Core installation) (Critical)
Windows Server 2012 R2 (Server Core installation) (Critical)
Notes for MS14-068
Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.

I'm safe!

Windows 98SE, bitches!

We're Still Pulling the Last Criticial Patch

Fool me once.. your Credibility Microsoft is MUD... stop Trolling everyone.

NO Way am I applying this even to my little Sisters XP bargain basement notebook.

This is just stupid.

Re:We're Still Pulling the Last Criticial Patch

XP is based in Windows 2003 or vice versa

This wasn't ready yet for last patch-Tuesday

It is number MS14-068
Last patch-Tuesday released a lot of updates from MS14-064 to MS14-079, but it skipped MS14-068 explicitly.

So they were simply not ready yet last Tuesday to throw this over the wall, but had already given it a number,

So this is just a delayed release.

Re:This wasn't ready yet for last patch-Tuesday

Along with MS-068, MS-075 was also skipped on 11 Nov. 2014 and is currently tagged as "Release date to be determined". Security Bulletins 2014

Maybe we can do this all over again next week.

Dear apk

Your host files will keep you safe, so don't worry.

iOS Developer Program and XNA Creators Club

[tepples]

With Apple continuing to make a more closed ecosystem [...] Should we be a bit more welcoming to Microsoft?

The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.

Now Microsoft trying to be more open.

Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT, where you pay only once it's time to upload your app to Windows Store.

Re:iOS Developer Program and XNA Creators Club

[tlhIngan]

The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.

Only for iOS. OS X still has free Xcode development tools available. They used to ship with the OS, but now it's in the Mac App Store as a separate download. And this started before Microsoft created the Express edition of Visual Studio.

Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT, where you pay only once it's time to upload your app to Windows Store.

Great, so Microsoft makes it a one-time payment to code for a dead platform? And given the struggles Microsoft has with their app store(s), it's no wonder Microsoft is trying all sorts of things because developers aren't willing to code for a marginal platform like Windows RT or Windows Phone. They have to make it super cheap or free because developers wouldn't code for it otherwise.

Re:Seems to be a mistake... apk

[jones_supa]

You seem to be right, Alex. If one reads the MS bulletin carefully, one can see that this patch applies only to Windows Server editions.

Go XP!

Yet another reason to fall back on XP.

Thanks Microsoft!

Re:Go XP!

[ArcadeMan]

XP? I'm still using MS-DOS 3.3 here.

Re:Go XP!

[armanox]

You must like setting the system time every time it boots.

How did you manage to post to Slashdot on your 8088 anyway (hope you have the full 640K RAM!)?

Re:Go XP!

[ArcadeMan]

This is 2014. The majority of nerds have more than one computer.

Re:Go XP!

[Kittenman]

This is 2014. The majority of nerds have more than one computer.

Heck, that's a prerequisite of membership.

But look on the bright side - nerddom also requires more than one operating system ...

We're Still Pulling the Last Criticial Patch

Fool me once.. your Credibility Microsoft is MUD... stop Trolling everyone.

NO Way am I applying this even to my little Sisters XP bargain basement notebook.

This is just stupid.

Since the patch isn't even available for XP, you have nothing to worry about.

What is it?

What is the vulnerability? No information provided at all...

Since when is elevation of privilege considered critical enough to warrant an out of cycle patch?

Seeing as this targets server SKUs only until I stand corrected by presence of actual facts I will assume "elevation of privilege" actually means elevation from nothing/anonymous access.

Re:What is it?

[MrSmurf1]

I'm with you? been searching all morning for more details and can't find a single article with what it actually patches. Anyone else find anything?

Re:What is it?

It is a patch that addresses a vulnerability that is present in all current versions of Windows Server. The vulnerability is not present by default in all current workstation versions of Windows, but the patch will still be applied to those OS's. Because the vulnerability is being actively exploited, the details will not be released before the patch is released around 10:00 AM PST today.

Re:What is it?

[harryjohnston]

An elevation of privilege affecting the entire domain is certainly critical, particularly when it's already being used in attacks.

This means that if the attacker has control of one machine in the domain, he or she can take control of every other machine, including the servers.

Re:What is it?

[ihtoit]

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.
#
Source: https://technet.microsoft.com/...

Re:What is it?

[ihtoit]

yes, and this is a vulnerability in the authentication/session key service which is basically an invitation to exploit using a skeleton key.

Sounds to me like Kerberos is fatally flawed (as in, it was designed to prevent this exact thing from happening by whitelisting users on a per-case basis assigning temporary privileges according to their stored credentials), and this is a temporary fix.

Re:What is it?

[harryjohnston]

There's a bit more information available now:

http://blogs.technet.com/b/srd...

Windows 10...customers are affected, too.

[fustakrakich]

Sounds like it's ready to ship...

XP Killer?

[bill_mcgonigle]

Windows Server 2003 Service Pack 2 (Critical)

Since XP and 2003 usually go together. I didn't find a technical discussion link on the advisory but if this is the buffer overflow in the TLS library that has been making the rounds recently, this could be the one that finally kills the XP machines on the 'net.

Unless Microsoft backpedals again and enables the XP holdouts for a while longer.
 

Re:XP Killer?

[afidel]

No, the TLS flaw was MS14-066 and it affects XP as well but there is no generally available fix for it since XP is out of extended support. If you care at all about security you're no longer using XP so the fact that there is another critical flaw isn't going to significantly change the situation.

Re:XP Killer?

[NJRoadfan]

MS14-066 (along with the MS14-064 OLE fix) was released for POSReady 2009, so technically XP was patched for it. http://support.microsoft.com/k...

Re:XP Killer?

...and how many XP boxes run a Kerberos KDC, exactly?

The patch isn't made for XP, since XP doesn't run the affected service. This isn't a kernel patch.

Re:XP Killer?

[ihtoit]

only those that host Kerberos as part of the consolidated domain services.

Re:XP Killer?

[ihtoit]

Kerberos V5 does run on xp. In fact it'll run on 2000.

Re:Does not Affect Vista, Windows 7, Windows 8, 8.

[ISoldat53]

Why does MS explain the risk in a footnote instead of the chart of affected software? Why not just say "Unaffected" or some similar term in the chart itself.

Re:Does not Affect Vista, Windows 7, Windows 8, 8.

[Lew+Perin]

So the vulnerability is in some component that's present only in server versions of Windows. On machines running client versions of Windows, there's no urgency about this.

Timothy is a moron

-1 troll all you want, but you know he's an idiotic moderator at submiting articles.

And this shows it again.

restart

I think 90% of the windows updates that I have installed since the Windows 3.1 days required a restart. Just saying. Windows can't update any executable (*.exe, *.dll, *.drv) when it is in use.

Re:restart

This is true. While on *nix systems you can update the executable while it's running ... that only happens on disk. All running instances are executing out of a shared memory block that only gets released when all running instances have stopped. So you still need to at least stop all affected services after a patch and start them again, even if you don't reboot the entire machine.

Elevation of Privileges?

The patch allows for elevation of privileges? Don't think I'll be installing that one.

Another feather in the cap for XP

[linuxrunner]

Thank goodness I'm still running XP!

do you want .Net? because that's how you get .Net.

Anybody that runs Windows as a server deserves what they get.

Re:Does not Affect Vista, Windows 7, Windows 8, 8.

My God, how are they able to manage all that? This is a very bushy release tree, much worse than Linux. I had no idea it'd gotten this bad.

Re:

Uh, no, I don't think so. The classic example would be ^C in a telnet session. It isn't delivered "out of band", but the processing needs to be immediate - one might say prioritized. It is also true from a serial connection, the characters are coming in in-order, but you process the ^C differently. So, yes MS used the term correctly.

are you sure?

Looks like it only affects Windows 2008 and 2012 ... https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx

Re:are you sure?

[ihtoit]

no, it will affect any system which runs Kerberos. From 2K to ~.

The only difference is which OSen are in support cycle. Xp isn't one of them, and neither, clearly, is 2K. 2K3 is, but that's down to MS' decision to extend it, not, I think, due to any technical pressures or original scheduling.

Re:do you want .Net? because that's how you get .N

Easy setup, good reliability, best-in-industry offerings for shit like SQL and LDAP, built-in core services for tons of popular services (AD,DFS,DHCP,DNS,IIS,RDS,etc.), powerful and flexible virtualization options, widely available resources for configuration and troubleshooting, appropriate pricing, etc.?

Windows Server is pretty good. Yes, you have patches that interrupt your shit, but if you care that much about downtime you're running redundant services anyway.

Of little impact for illiterate users

[Eravnrekaree]

Its interesting that a patch on privelege seperation escalation, while be ranked serious, would have so little effect on most users because most computer illiterate users do not know how to use them, the OS contains what is a major problem in that it does not encourage these users to use the feature.

Most of your common windows users do not use any kind of privilege seperation, they go right in as a superuser account, because, they don't even know what any of this stuff is. Windows ironically seems designed in such a way that it assumes that every user is a very literate on how to properly setup and use an operating system. To get the situation with viruses under control would require having a model whereby the system comes default in a secure, recommended state but also allows expert users to override that if necessary. Most common users will not do this, they can barely understand anything in the control panel anyway. The resulting situation would not be perfect but better than now but also would not prohibit customization by experts.

This initial state would put the user in a non-priveleged account by default and would not offer a login choice for an administrator account. It would also include a prohibition on executing any user downloaded programs in the users directories, only programs which are root writeable only in the main system directory would be executable, this makes it much harder to download and execute viruses. Programs could only be installed via an app store, or via a physical distribution that has been registered, approved and cryptographically signed by OS vendor. Program installers would be given the minimum permissions they need to install themselves and would install into an file system overlay environment, allowing any effects of the installer to be easily tracked and reversed, they would not have direct access to a large number of system files which they have no need to touch, and would be restricted to their own subfolder in the registry.

I find it ironic that Mandatory access control, which is more badly needed on newbie computers to stop these users from downloading EXEs to their home folder and executing them, is unavailable in Home Premium, where the feature is most badly needed.

The restrictions could be disabled from the control panel if needed but the idea is that most users use the default configuration that they are given so this would be a vast improvement over how things work now. The proliferation of viruses would be drastically reduced from all of this.

These ideas are good ones for any operating system which are for illiterate computer users.

DOES Affect Vista, Windows 7, Windows 8, 8.1.

[teridon]

I don't know what you're looking at, but it's the wrong patch.  The patch in question is MS14-068, and it affects every system listed in summary.

https://technet.microsoft.com/library/security/MS14-068

Re:DOES Affect Vista, Windows 7, Windows 8, 8.1.

[__aagmrb7289]

From TFA (that you linked!):

What systems are primarily at risk from the vulnerability? Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.

This isn't meant to dispute what you are saying (it does effect them all), but the article makes it clear that if the DCs are patched, you've mitigated the primary issue. Which seems strongly related to the comments to which you are replying.

Re:DOES Affect Vista, Windows 7, Windows 8, 8.1.

[harryjohnston]

No, the security bulletin is very clear that the vulnerability doesn't affect client versions of Windows. The patch has been made available anyway only as a defense in depth precaution.

If you look at the "Affected Software" table, you will note that the "Maximum Security Impact" is "None" for client versions.

(OK, I guess it depends on what you mean by "affect". But the upshot is that you only need to patch servers - more specifically DCs - now, everything else can wait and be done with next month's updates.)

Re:DOES Affect Vista, Windows 7, Windows 8, 8.1.

[teridon]

Yes, you're right, I didn't read the table carefully!

Vulnerability in Kerberos Could Allow Elevation of

Microsoft Security Bulletin MS14-068 - Critical
https://technet.microsoft.com/en-us/library/security/MS14-068
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
Published: November 18, 2014
Version: 1.0

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3011780.

Remote attack on systems that allow domain users?

[microsquishy]

"The affected component is available remotely to users who have standard user accounts with domain credentials" https://technet.microsoft.com/... Sounds like a "fun" new target for malware.

Vulnerability in Microsoft Windows Kerberos ..

[lippydude]

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account"

How did they manage to write a security component, that of itself opens up the Operating System to exploition? I mean, and after all, this isn't the defective Apple OS or open source ...

Re:Vulnerability in Microsoft Windows Kerberos ..

[microsquishy]

How did they manage to write a security component, that of itself opens up the Operating System to exploition? I mean, and after all, this isn't the defective Apple OS or open source ...

I don't know, practice?

FTFY

[ClickOnThis]

Yet another reason to move forward to Linux.

just update the exec's laptops

[swschrad]

then if it's a fail, you can lobby to switch to another platform.

Re:just update the exec's laptops

[DigiShaman]

Funny you mention that. I know of a few that use a MacBook Pro with VMWare Fusion running Windows 7 (custom vertical market apps). In this case, you can roll back via Time Machine in the event the VM of Win7 gets hosed.

Where are the Microsoft haters?

Plenty of people were happy to bag the crap out of OpenSSL with the heartbeat issue. Where's the love for the remote code execution exploit in Microsoft's schannel?

Why're you minus modded?

You said the same as a +4 informative rated post and yours was posted before it http://tech.slashdot.org/comme... after yours was initially up modded to +1?

Microsoft Security Bulletin MS14-068 - Critical

Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
Published: November 18, 2014

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

The essence of Microsoft

Great management tools, buggy/insecure Operating Systems

Re:do you want .Net? because that's how you get .N

[ihtoit]

WAMP on xp does what I need.