My next class:

Microsoft November out-of-cycle patch MS14-068

Published: 2014-11-18. Last Updated: 2014-11-19 00:15:18 UTC
by Jim Clausing (Version: 1)
21 comment(s)

Microsoft November out-of-cycle patch

Note: MS14-066 was also updated today to fix some of the issues previously discussed with the introduction of the additional TLS cipher suites.  Folks running Server 2008 R2 and Server 2012 are urged to reinstall

Update (2014-11-18 19:45 UTC) - After reading Microsoft's further explanation, the ISC ratings have been adjusted.

Ref: http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

Overview of the November 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-068 Vulnerability in Kerberos Could Allow Elevation of Privilege. Could allow for forging of part of Kerberos service ticket.
(ReplacesMS11-013 MS10-014 )
Microsoft Windows

CVE-2014-6324
KB 3011780 Limited targeted attacks known to be in the wild Severity:Critical
Exploitability: 1
Important Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: mspatchday
21 comment(s)
My next class:

Comments

We've started an immediate rollout, but all of a sudden can't load Windows Update on Windows 2003 machines. Anyone else seeing this?

2014-11-18 11:51:08:549 3116 3b4 COMAPI ----------- COMAPI: IUpdateServiceManager::AddService -----------
2014-11-18 11:51:08:564 3116 3b4 COMAPI - ServiceId = {7971f918-a847-4430-9279-4a52d1efe18d}
2014-11-18 11:51:08:564 3116 3b4 COMAPI - AuthorizationCabPath = C:\WINDOWS\SoftwareDistribution\AuthCabs\muauth.cab
2014-11-18 11:51:08:580 848 824 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\7971f918-a847-4430-9279-4a52d1efe18d.auth.cab.temp\muauth.cab:
2014-11-18 11:51:08:596 848 824 Misc Microsoft signed: Yes
2014-11-18 11:51:08:611 848 824 Agent WARNING: WU client fails CClientCallRecorder::AddService2 with error 0x80248015
2014-11-18 11:51:08:611 3116 3b4 COMAPI WARNING: ISusInternal::AddService failed, hr=80248015
2014-11-18 11:51:08:611 3116 3b4 COMAPI - Exit code = 0x80248015
This is critical for servers, however really only if the Key Distribution Center (Domain Controller) role is active.

"This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

This should not be rated critical for clients.

"The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1 "


If a desktop OS is running a KDC, that would fall into the ISC "The difference between the client and server rating is based on how you use the affected machine." - i.e., you're using it as a server.
I was debating that and you are correct, I'll probably adjust the criticality down on workstations. On initial read, I thought that forging the service ticket could be used to compromise the clients (workstations), but the latest blog post from Microsoft makes it clear that this really only works against servers. See http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
Have you updated the right box :)
The "ISC Rating" color scheme (white text on red background) would indicate a "PATCH NOW" rating, but it says "Critical" in the rating box. You might clarify the rating (or adjust the text or colors as appropriate.)
I have reports of this for both the GUI Windows Update and Microsoft Update on Server 2003 systems.
"but all of a sudden can't load Windows Update on Windows 2003 machines."

Seeing that as well here.
Our sole remaining Server 2003 VM was unable to get to Microsoft Update as well.

Workaround: If you have automatic updates running, you can use: "wuauclt.exe /detectnow" at the command prompt. After waiting in silence for a few minutes, you should then get the alternative (non-IE-based) updating mechanism in the system tray (don't expect any GUI-feedback while the update detection is underway). This worked for me.

If Automatic Updates isn't enabled on the server (and thus this work-around won't work), perhaps that can be turned on via control panel, system panel, or registry?
For those having problems with updating Windows Server 2003, we’ve found a workaround:

1) Stop the Automatic Updates and Background Intelligent Transfer Service services.
2) Delete or rename the %windir%\SoftwareDistribution folder.
3) Restart Automatic Updates and Background Intelligent Transfer Service services.
4) Go to the Windows Update site, NOT the Microsoft Update site, and DO NOT enable Microsoft Update.
Direct link to Windows Update site: http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us
5) From Windows Update you can install updates. (Obviously MS14-068 is what we’re talking about today.)

The workaround breaks on first reboot and will have to be repeated to install additional updates.

Hopefully Microsoft will fix their screwup with Microsoft Update soon...
Trashed my computer (HP Probook 455 G1).

Could not boot into any mode of the operating system. Efforts to repair with Windows System Recovery Disk and HP Recovery Disc failed.

Finally managed to restore system from full image backup.

The one thing that may be non-standard on my computer is that the hard disk is encrypted with HP's security software.

Apparently Microsoft did not test this patch on computers running HP encryption.

Diary Archives