Microsoft on Tuesday released a critical security patch outside of its normal, monthly software update cycle to fix what it described as a serious, privately reported vulnerability in Microsoft Windows Kerberos Key Distribution Center (KDC).
If left unpatched, the security hole could allow an attacker to impersonate any user on a domain, including domain administrators. They could use that access to install programs; view, change or delete data; or create new accounts on any domain-joined system, Microsoft said.
The security hole affects a wide range of Windows versions and is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, Microsoft said.
Kerberos is an encryption technology that is the default authentication method for Windows systems, starting with Windows 2000. The Kerberos Key Distribution Center is a standard network service for issuing temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS).
Read more via Microsoft Security Bulletin MS14-068 – Critical.