Nomen Posted November 20, 2014 Posted November 20, 2014 (edited) Some details here: http://www.securityfocus.com/bid/70958----------Vulnerable:Microsoft Windows Vista x64 Edition SP2Microsoft Windows Vista SP2Microsoft Windows 7 for x64-based Systems SP1Microsoft Windows 7 for 32-bit Systems SP1(and other various versions of Windows Server)-----------From this: https://technet.microsoft.com/library/security/MS14-068---------------What systems are primarily at risk from the vulnerability? Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.---------------So I ask - Can Vista or 7 (any version) act as a domain controller? And be a Kerberos Key distribution Center?I also ask if NT4 server or 2K server would also have this Kerberos vulnerability... ? Edited November 20, 2014 by Nomen
submix8c Posted November 20, 2014 Posted November 20, 2014 "Primarily at risk"...See description of Kerberos:http://technet.microsoft.com/en-us/library/cc780469%28v=ws.10%29.aspxAlso pay attention to the Contents of the Technet link (listed in the KB):https://support.microsoft.com/kb/3011780 For the POSReady the "Kerberos.dll" Version is "5.1.2600.6667" (consider this a Workstation).Obviously the "Kdcsvc.dll" won't be installed on non-Server Systems. Note the Version#'s for those OS.I'm not so sure that this can be ported to Win2K Servers/Workstations *or* NT4 Servers/Workstations. Win2K3 versions are 5.2.xxx, for this Fix it's v5.2.3790.5467. **AHHH!** Looking at the first link, it basically says "Nope, not NT4" (also googling indicates that). Also note that Active Directory is a part of this (only applies to Servers). Here's another MS article explaining more.http://msdn.microsoft.com/en-us/library/bb742516.aspx IOW, it appears that you're really making an issue of Win2k/NT4 for no reason. *UNLESS* the POSReady can be ported to a Win2kPro (ignoring the v5.2 porting necessary for Servers).http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/#entry1089299 Just realize it *appears* to be directly related to Logon to an Active Directory Domain and the Domain Server itself.
blackwingcat Posted November 21, 2014 Posted November 21, 2014 (edited) It is easy to patch MS14-068.But it is too difficult to patch MS11-013. Kerberos Channel Binding Support is too complex for me.Sorry. I releasedMS14-072 / MS14-068(included MS11-013) / MS14-070 / MS14-066 / MS14-067 / MS14-064for Extended kernel Windows 2000 in this month. "Primarily at risk"...See description of Kerberos:http://technet.microsoft.com/en-us/library/cc780469%28v=ws.10%29.aspxAlso pay attention to the Contents of the Technet link (listed in the KB):https://support.microsoft.com/kb/3011780 For the POSReady the "Kerberos.dll" Version is "5.1.2600.6667" (consider this a Workstation).Obviously the "Kdcsvc.dll" won't be installed on non-Server Systems. Note the Version#'s for those OS.I'm not so sure that this can be ported to Win2K Servers/Workstations *or* NT4 Servers/Workstations. Win2K3 versions are 5.2.xxx, for this Fix it's v5.2.3790.5467. **AHHH!** Looking at the first link, it basically says "Nope, not NT4" (also googling indicates that). Also note that Active Directory is a part of this (only applies to Servers). Here's another MS article explaining more.http://msdn.microsoft.com/en-us/library/bb742516.aspx IOW, it appears that you're really making an issue of Win2k/NT4 for no reason. *UNLESS* the POSReady can be ported to a Win2kPro (ignoring the v5.2 porting necessary for Servers).http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/#entry1089299 Just realize it *appears* to be directly related to Logon to an Active Directory Domain and the Domain Server itself. Edited November 21, 2014 by blackwingcat
Nomen Posted November 24, 2014 Author Posted November 24, 2014 Ah - so I wasn't the only one asking this question:============Why is Microsoft updating Windows PCs for a security bug on the server?http://www.computerworld.com/article/2851333/why-is-microsoft-updating-windows-pcs-for-a-security-bug-on-the-server.htmlThe Kerberos vulnerability is only in Windows Server, but Windows PCs are getting extra security fixesWhen Microsoft released a critical update for multiple versions of Windows Server this month, it also pushed out a fix for several releases of the Windows client OS, including even the technical preview for Windows 10.It was critical to get the patch out for Windows Server: An exploit affecting Windows Server 2008 R2 and earlier versions has already been detected, and Windows Server 2012 and later releases are vulnerable to a related but more difficult attack.But the vulnerability isn't present in the desktop versions of Windows. In Windows Server, the flaw allows attackers to employ the username and password of anyone in an Active Directory domain to get the same system privileges as a domain administrator, using a forged Privilege Attribute Certificate to fool the Kerberos Domain Controller that manages remote access.The bulletin for the patch says there's no security impact for the client versions of Windows. So why did Microsoft also release an update for Windows Vista, Windows 7, Windows 8, Windows 8.1 and the Windows 10 Technical Preview?It's because although they don't have that specific vulnerability, looking into the Windows source code to understand how the Privilege Attribute Certificate could be forged revealed some older code that Microsoft was no longer satisfied with, a representative for the company told us. That could mean other potential attacks, although they declined to give more details."The 'hardening' on the client side is the replacement of older code with newer code. In our investigation, although we did not discover a vulnerability on these platforms, we did discover code that needed to be improved in order to meet our current security standards," the representative said.Although Microsoft hasn't said whether Windows XP also had the problem code, it's likely it does given the age of the code involved. As XP is out of support, only companies that are paying for extended support contracts would get an update for it -- another incentive for anyone still using the older OS to upgrade.The update applied to the Windows Server Technical Preview as well, but Microsoft said it doesn't list security impact and severity ratings for previews. "As customers know, beta software is not fully supported and we do not want to cause customer confusion," the representative said.======================
submix8c Posted November 24, 2014 Posted November 24, 2014 @Nomen:You must have missed this part:"Kerberos.dll" is replaced on Workstations as well as Servers. You already cited the link that said "somewhat" why.In addition, you apparently disregarded the first link (Technet) I gave. Try looking at that nifty chart. If you don't want to patch a Workstation, then don't and see what happens.Otherwise, go argue with MS as to why they did (see your quotes above). We're not privy to MS' secrets.http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
blackwingcat Posted November 25, 2014 Posted November 25, 2014 I tried to patch kdcsvc.dll for Windows 2000.You can down load from WLU. http://blog.livedoor.jp/blackwingcat/archives/1883150.htmlhttp://blog.livedoor.jp/blackwingcat/archives/1883160.htmlTechnical information here.
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now