Microsoft Releases Out-of-Band Security Patch For Windows 178
mrspoonsi writes Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company's major platforms, is rated 'critical' and it is recommended that you install the patch immediately. The patch is rated 'critical' because it allows for elevation of privileges and will require a restart. The platforms that are affected include: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1. Windows 10 Technical Preview customers are affected, too.
Better go kick WSUS into a sync... (Score:5, Funny)
I love nothing better than starting out my Tuesday with rebooting every Windows box...
Re: (Score:2, Funny)
Re: (Score:2)
Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)
Scheduling an emergency patch and reboot with terminal servers among all employees is a huge PITA! "Awww, do we have too. I've got all this work to...*BEEP*." Sorry guys, finger slipped when it asked me to reboot or not. OTOH, server secure :)
Import-module activedirectory
$ComputerNames = Get-ADcomputer -searchbase (DN of you server/workstation OU here) -filter * | Select-object -expandproperty name
ForEach($ComputerName in $ComputerNames)
{
Restart-computer -force $ComputerName
}
Have the nightshift guy run that from a machine that the workstations/servers will accept WMI calls from and then have him feel like a wizard as every computer under the OU magically reboots.
Re: (Score:2)
Importing modules? Multiple lines? Can't be run from a standard command prompt? Ugh.
FOR /F "usebackq tokens=1 skip=3" %A IN (`net view /domain:domain`) DO IF [%A] NEQ [The] shutdown /r /t 0 /d p:2:18 /m %A
Re: (Score:2)
About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.
SAP? SQL? Party like it's 1999! For me, having it matter whether any given server suddenly fails would be a career limiting move. We push-restart patches to services every week or two, and if that affects a customer in any way TSHTF.
Re: (Score:2)
About 40% of my servers would have serious issues with that. From SAP systems to certain SQL jobs. That would be a resume writing event.
SAP? SQL? Party like it's 1999! For me, having it matter whether any given server suddenly fails would be a career limiting move. We push-restart patches to services every week or two, and if that affects a customer in any way TSHTF.
You're a dumbass if you think SAP and SQL are relics.
Further, you're a dumbass if you think redundancy, load balancing, etc. solve the problem. They add reliability to the replicated services by moving the single point of failure out to a different box (the load balancer, the VM server, the border switch, the ISP, or even all the way out to DNS) while adding complexity and cost and increasing the impact should the new single point of failure fail.
Further, they intrinsically impact customers by providing di
Re: (Score:2)
I help develop and operate a service that makes a hefty sum by doing all those things you deride, implementation-wise. It all works quite well - well enough that if routing patching causes any customer-visible disruption, you're in for extensive analysis, paperwork, and perhaps ritual abasement before an angry VP.
Yes, yes, there are many technical problems involved with consuming "eventual consistency". In the 20th century these problems were seen as blocking, and anyway just buy a bigger DB server. But
Comment removed (Score:5, Insightful)
Re: (Score:2, Insightful)
Damned if you do, damned if you don't. Welcome to Windows.
FTFY ;)
Re: (Score:2)
I think you might mean NT there...
Re:Better go kick WSUS into a sync... (Score:5, Insightful)
If you roll out your patches the moment they come in, you are a retard - what ever happened to testing them in a subset of your organisation before releasing them to the general population, or do you enjoy running around like a headless chicken when theres a compatibility conflict?
Re:Better go kick WSUS into a sync... (Score:5, Informative)
Absolutely. We have a scheduled nightly patch push three times per week. New patches come into the test facility, they get run against our known baseline applications (commercial and homegrown) then get pushed after they pass QA. Nothing gets pushed straight from MS or anyone else. We can push out of cycle,but usually nothing is so critical it can't wait for 2-3 days of testing.
Re: (Score:2)
That applies to all operating systems. When it comes to production, three things apply: Has the patch been tested in an environment as close to what the field is like, can it be applied without much downtime, and is there a way to back it out without causing major headaches.
This is one reason I like virtualization with clusters [1]. If a patch does make it past testing and fouls up a production VM, I'm a snapshot away from going back to a working machine. This isn't a magic bullet solution, but it does
Re:Better go kick WSUS into a sync... (Score:4, Interesting)
VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V
This is not correct.
VMWare' Fault Tolerance is indeed limited, but it has nothing to do with the ability to restart a VM on a dead host. FT prevents a machine from ever going down in the first place by keeping 2 identical VMs on 2 different hosts in sync, CPU state and all.
High Availability is the feature you refer to regarding rebooting a downed VM, and it has no vCPU restrictions.
Re: (Score:3)
There has already been one major compatibility bug in the patch for MS14-066 released November 11, where you update your IIS server to fix the SSL remote code exec bug, and Chrome browsers stop working..
Furthermore, there were several botched updates in October.
Windows 7 blue screens with a patch in September
I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.
Re:Better go kick WSUS into a sync... (Score:5, Informative)
Chrome not properly handling some TLS1.2 cyphers is hardly an MS bug, though they do have a workaround for compatibility if you need it.
Re: (Score:2)
As I understand it they introduced changes independent of the security fix, and the non-fix-related feature additions caused the problem.
They shouldn't have rolled new features in the same patch, BUT if they did, they should have included common software used by more than 10% of windows systems in their test cases and basic functionality such as HTTPS compatibility.
Re: (Score:2)
I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.
Having recently "downsized" their QA staff testing work has been outsourced to paying customers.
When they say they will release a patch 10 AM PST this represents the time they will have managed to get it to compile.
Re: (Score:3)
We don't keep files on people's feet.
Re: (Score:3)
It's a file format created by Acrobat.
Re:Better go kick WSUS into a sync... (Score:5, Interesting)
If you roll out your patches the moment they come in, you are a retard ... do you enjoy running around like a headless chicken when theres a compatibility conflict?
If only security were so binary - in the real world it's a constant process of risk/reward calculations.
Is this the vulnerability the boards have been buzzing about that gives a remote code exploit by merely visiting a malicious TLS server? If so, having all your end-user machines pwned inside the firewall is not better than the risk of a compatibility conflict. One cripples an organization, the other, at worst, breaks one app.
Comment removed (Score:5, Insightful)
Re: (Score:2)
in a nice posh fortune 500 org where such resources are available to HIM
In many cases this can be true, but consider a case where there's a zero-day in the MS TLS implementation. The only possible thing that can be done here is to have a pre-existing TLS interception mechanism deployed (local CA root on workstations with on-the-fly cert regeneration on the proxy) and have that be on a non-MS platform.
Even if that's a good idea, many F500 companies won't have that deployed, much less the F50000.
There are s
Re: (Score:2, Funny)
I still would not want to be the guy who followed policy and got his internal network completely infested.
Ya, but you've already got Windows systems on your network ... :-)
just update the exec's laptops (Score:2)
then if it's a fail, you can lobby to switch to another platform.
Re: (Score:2)
Comment removed (Score:4, Interesting)
Re: (Score:2)
Same here. I am the QA IT And development division. Every PC belongs to an employee. I don't have an isolated network. We only a 10 person company, but a lot of companies rely on us to have high uptime. I do the best I can do (creating images before updates, etc), but at the end of the day got to throw the dice and hope it doesn't end up snake eyes as it still takes time to recover..
Re: (Score:2)
OTOH, if one of your dufus users clicks on some crap and infests the network with the latest and greatest threat since ILY you get whacked as well, after all there WAS a patch out and why the hell didn't you install it?
Re:Better go kick WSUS into a sync... (Score:5, Informative)
Any worthwhile testing would take weeks to perform.
Enjoy being exposed to known and active vulnerabilities while you're busy testing each patch individually against a dozen or more hardware configs across dozens of applications across hundreds of workloads and 99.99% of the time you'll find no problems that justify holding the patch back. And you'll STILL have Jerry from Accounting call you up after you deploy it because it broke the medieval torture device he calls an "ergonomic" keyboard.
You (or some peon) will then be dispatched to his desk to investigate Brenda's ticket of "Jerry's computer frozen please advise.", and you'll be forced to awkwardly use that shitty keyboard while you troubleshoot (you didn't bring your own because you forgot he fucking had the damned thing).
Here's the testing you need to do in the real world:
Install all the patches on your machine.
Reboot.
Launch IE, FF, Chrome, Outlook, Word, and Excel.
Launch any applications mentioned in the bulletin.
If nothing crashed, deploy the patch to everyone.
If something crashed, search "Patch Tuesday Breaks " and look for recent shit.
Re: (Score:2)
Well, for one thing, it was meant to be kind of funny.
Second: I really only have to look after a handful of Windows servers, because we do 90% of everything on Linux.
Third: it's all VMs, and we have snapshots. If something breaks, we disable the patch and roll back. Oh, that was hard.
Re: (Score:2)
I love running around like a headless chicken. It's my best joke at work and lightens up the dull meetings.
On that note, let's have a quiet remembrance in honor of Mike the Headless Chicken [wikipedia.org].
Re:Better go kick WSUS into a sync... (Score:4, Informative)
Even if you did have something better to do, would you rather be testing and deploying security updates or cleaning up a security breach?
It is easy to be unhappy about security updates because of the implied security bug, a bug that shouldn't have been in there in the first place. Yet we also have to remember that people are investing a lot of time into discovering and exploiting design/implementation flaws because we invest so much into computers and networks. It doesn't matter whether the mistake shouldn't have passed the muster of code review or it it's so obscure that it would take security experts years to understand its implications, someone is going to find it. It is, unfortunately, something that we've been seeing a lot of lately and it is something that won't disappear in the future.
(We also shouldn't be targetting Microsoft because most platforms have seen critical security updates and even critical security breaches lately. It doesn't matter how proficient the developers are, nor does it matter who they work for. What matters is the value of the systems and data being compromised.)
Re:Better go kick WSUS into a sync... (Score:5, Insightful)
I'm more annoyed by the architecture of Windows that requires reboots for a ridiculous amount of updates. Why haven't they figured out how to stop a service, update it, and then start it again? Why does everything require a reboot?
I understand kernel-level updates will require a reboot, and do on every OS out there. But there are far more reboots in patching Windows than any other platform.
Re: (Score:2)
To be fair, most updates of OS X have required a reboot as well. I'm in the process of installing 10.10.1 right now, and will have to reboot momentarily. There are probably more patches for Windows, but on its own, I'm not sure whether that statistic is objectively bad.
Re: (Score:3)
A lot of this is historical. IE is baked into the shell, so the shell files can't be updated while a user is logged in. These ties have been broken lately, but not completely. It's not the architecture of Windows, but rather the need to keep up appearances despite most people knowing better. And the architecture of the web browser of course.
Windows itself relies on having a lot of shared libraries, known as ".dll files". They can't possibly be patched if they are in use.
Oh wait. Forgive me for not kno
Re: (Score:2)
the general expectation is that a service will be running when it needs to be running.
And this expectation can be filled with something like Apple's launchd (open source [apple.com]) which has the ability to spawn or respawn jobs on demand; or monitor them and reload them if they die, throttled in case of crash.
So, patch the files, then kill the process. launchd then respawns it. Downtime? Less than a second. No reboot needed. The user can be notified by a box saying "The patch has been installed successfully" with a big green check mark.
Re: (Score:2)
On real operating systems, you can patch files while they're in use. If that doesn't work in Windows, that's a Windows problem, and an architecture issue.
Re: (Score:2)
You can reboot the server during work hours?
Re: (Score:2)
XP as well? (Score:4, Insightful)
Re:XP as well? (Score:5, Funny)
Since it's not listed this would mean XP is safer than W7 or W8.
Hazzah!
Re: (Score:3, Interesting)
Except reading the patch note, while Windows Vista, Windows 7, Windows 8 and Windows 8.1, Windows RT and Windows RT 8.1 are listed its to say they are not affected.
So its a patch for the server products.
Re: (Score:3, Informative)
Re: (Score:3)
As far as the GP asking about XP - XP is out of support and doesn't get patches.
But Windows Embedded POSReady 2009 does. ;) I wonder if they have been keeping up with security patches, particularly the OLE one.
Re: (Score:2)
No, it just means that MS isn't issuing a patch for XP. At least not exactly. They have released a patch today "for WEPOS and POSReady 2009", which is the branding given to the point-of-sale variant of Windows XP, which Microsoft still offers support for. There's a registry hack that makes Windows XP identifiy itself as Windows POS [insert joke here] when contacting the MS Update servers, and machines running that variant will get the patch.
Or so I'm told. ;)
So... (Score:3, Interesting)
With Apple continuing to make a more closed ecosystem. And Google sharing all your data in the world, with little interesting movement in Linux. Now Microsoft trying to be more open.
Should we be a bit more welcoming to Microsoft?
iOS Developer Program and XNA Creators Club (Score:2)
With Apple continuing to make a more closed ecosystem [...] Should we be a bit more welcoming to Microsoft?
The "$99 per year recurring fee to run software you wrote on a machine you own" policy that Apple implemented in iOS was strikingly similar to the "$99 per year recurring fee to run software you wrote on a machine you own" policy that Microsoft had already implemented on Xbox 360.
Now Microsoft trying to be more open.
Case in point: Unlike Apple with the iPad, Microsoft has allowed for a free-of-charge developer license on Windows RT [microsoft.com], where you pay only once it's time to upload your app to Windows Store.
Re: (Score:3)
Only for iOS. OS X still has free Xcode development tools available. They used to ship with the OS, but now it's in the Mac App Store as a separate download. And this started before Microsoft created the Express edition of Visual S
Re:So... (Score:5, Insightful)
Now Microsoft trying to be more open. Should we be a bit more welcoming to Microsoft?
Embrace, Extend, Extinguish.
What you view as "trying to be more open" strikes me as being "Embrace".
Re: (Score:2)
EEE is a cautionary tale, not a knee-jerk reaction.
Is openness somehow bad? Is having source code for more and more products somehow bad?
I am going to classify your comment as "I don't know what they are doing, therefore I am confused, therefore they confused me and are trying something sneaky". In other words you are an idiot.
Embrace is good, and we support that. Extend is when we start to throw red flags. Extinguish is what users should do at the Extend phase.
Put another way, if they never get to Exte
Re: (Score:2)
Openness is not bad.
Microsoft's track record is bad.
Having source code for more and more products is not bad.
Microsoft's track record is bad.
Embrace is good.
Microsoft's track record is bad.
Someone who questions Microsoft's motives is not an idiot.
Microsoft's track record is bad.
Re:So... (Score:4, Insightful)
For the bazillionth time, Google is not "sharing all your data in the world". They are using your data in some very specific ways - and giving you free services in exchange. Those uses are relatively benign, as free internet services go, and they do not include sharing with any third parties.
Re:So... (Score:5, Insightful)
"For the bazillionth time, Google is not "sharing all your data in the world".
Technically, I think you are correct. What they are doing is collecting every possible bit of information about you in order to better sell you to advertisers.
Somehow, that doesn't make folks feel any better.
A.
Re: (Score:3)
"For the bazillionth time, Google is not "sharing all your data in the world".
Technically, I think you are correct.
Yes, technically correct.
When my ISP decided to drop their own email services and start funneling all their customer's email through Gmail, it wasn't technically "all my data" that they handed over to Google to index and root around through, it was just the last four years of deleted email they got to play with. Yes, email I deleted four years ago showed up on Gmail. So, technically, because I have some other email accounts that don't go through that ISP, I mean didn't go through them, Google doesn't have
Re: (Score:2)
You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest. But don't go claiming that they're sharing the info they have - they're not. Microsoft wants you to think they are - so they can get you to switch to MS services - where they will collect exactly the same data and do the same things with it.
Re: (Score:2)
You're missing my point. It's not "to share" at all. Yes, they have your data. And if you hate that they use that to send you targeted ads, well, then don't use gmail - or google search - or the rest.
My only option in the matter would have been to leave an ISP I've been using for more than a decade. And I didn't expect them to HAVE four years of deleted email on hand to give to Google, so I didn't know Google was going to get it all until WAY too late.
But don't go claiming that they're sharing the info they have - they're not.
Citation required.
"Out of band?" (Score:4, Informative)
I hate it when tech companies and CS in particular misuse technical terms. "Unscheduled" is the word they really meant (and should have used.)
Re: (Score:2)
Seconded.
If I want to see people misuse computer terminology, there are plenty of TV shows full of it. (I'm not sure if I'm right in thinking that 24 started it.)
Re: (Score:2)
Yes I agree. I was wondering if Microsoft was going to be shipping the patch to customers on tapes, or what.
Re: (Score:2)
Agreed. I read the headline and thought, "They're not offering it through Windows Update? How are people supposed to get it, or even know it exists?"
Re: (Score:2)
This. Hand the man an insightful, because that's basically the problem.
I, too, was sitting here, knowing that MS is going to do something "out of schedule" and reading an update coming "out of band". For a moment I was worried that I might have missed something critical, then I said to myself "Wait. You read it on /., better check whether it's so or whether someone just wanted to use jargon to sound cool without knowing what the fuck they write about".
Re: (Score:2)
Re: (Score:3)
Out of band means that it's not distributed through the normal channels; i.e. Windows Update.
This one is, so it's not out of band.
And it's also only for server products, not Windows 7/8/8.1/10.
But don't let that stop what /. now uses instead of editors from making a stupid headline.
Re: (Score:2)
Actually it is out of band as it was not originally scheduled to be out on Patch Tuesday but was added after the fact.
We have some MS guys in our office
Not for Windows 8 or 8.1 (Score:5, Informative)
For Windows 8 and Windows 8.1, the Windows Update web site says "Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability." For all the other systems, the update is rated Critical.
Am I looking at the wrong thing?
Re: (Score:1)
Re: (Score:2)
Well slightly confusing as it sounds like it IS for windows 8 and 8.1, but, its not critical on those platforms since the actual vulnerability is not present, but it still does make some changes.
This sounds to me like "an unrelated change we made in 8 made this, we think, unexploitable, but we are patching the error anyway, just in case". Not sure that is exactly correct, but that is how I interpret that.
Out of band? (Score:3)
Re: (Score:2)
Re: (Score:2)
No, Patch Tuesday is the normal scheduled time. Windows Update is the main channel.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Out of band? (Score:5, Funny)
You will be getting a USB stick in the mail.
Don't worry... it is perfectly safe to insert into your server.
Does not Affect Vista, Windows 7, Windows 8, 8.1. (Score:4, Informative)
Windows Server 2003
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2003 Service Pack 2 (Critical)
Windows Server 2003 x64 Edition Service Pack 2 (Critical)
Windows Server 2003 with SP2 for Itanium-based Systems (Critical)
Windows Vista
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows Vista Service Pack 2 (No severity rating)[1]
Windows Vista x64 Edition Service Pack 2
(No severity rating)[1]
Windows Server 2008
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical)
Windows 7 Bulletin Identifier MS14-068
Aggregate Severity Rating
None
Windows 7 for 32-bit Systems Service Pack 1 (No severity rating)[1]
Windows 7 for x64-based Systems Service Pack 1 (No severity rating)[1]
Windows Server 2008 R2 Bulletin Identifier MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical)
Windows 8 and Windows 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows 8 for 32-bit Systems
(No severity rating)[1]
Windows 8 for x64-based Systems (No severity rating)[1]
Windows 8.1 for 32-bit Systems
(No severity rating)[1]
Windows 8.1 for x64-based Systems (No severity rating)[1]
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier
MS14-068
Aggregate Severity Rating Critical
Windows Server 2012 (Critical)
Windows Server 2012 R2 (Critical)
Windows RT and Windows RT 8.1
Bulletin Identifier
MS14-068
Aggregate Severity Rating
None
Windows RT
Not applicable
Windows RT 8.1
Not applicable
Server Core installation option
Bulletin Identifier
MS14-068
Aggregate Severity Rating
Critical
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical)
Windows Server 2012 (Server Core installation) (Critical)
Windows Server 2012 R2 (Server Core installation) (Critical)
Notes for MS14-068
Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which will be available via Windows Update.
[1]Severity ratings do not apply for this operating system because the vulnerability addressed in this bulletin is not present. This update provides additional defense-in-depth hardening that does not fix any known vulnerability.
Re: (Score:2)
DOES Affect Vista, Windows 7, Windows 8, 8.1. (Score:2)
I don't know what you're looking at, but it's the wrong patch. The patch in question is MS14-068, and it affects every system listed in summary.
https://technet.microsoft.com/library/security/MS14-068
Re: (Score:2)
What systems are primarily at risk from the vulnerability? Domain controllers that are configured to act as a Kerberos Key Distribution Center (KDC) are primarily at risk.
This isn't meant to dispute what you are saying (it does effect them all), but the article makes it clear that if the DCs are patched, you've mitigated the primary issue. Which seems strongly related to the comments to which you are replying.
Re: (Score:2)
No, the security bulletin is very clear that the vulnerability doesn't affect client versions of Windows. The patch has been made available anyway only as a defense in depth precaution.
If you look at the "Affected Software" table, you will note that the "Maximum Security Impact" is "None" for client versions.
(OK, I guess it depends on what you mean by "affect". But the upshot is that you only need to patch servers - more specifically DCs - now, everything else can wait and be done with next month's update
Re: (Score:2)
XP Killer? (Score:2)
Since XP and 2003 usually go together. I didn't find a technical discussion link on the advisory but if this is the buffer overflow in the TLS library that has been making the rounds recently, this could be the one that finally kills the XP machines on the 'net.
Unless Microsoft backpedals again and enables the XP holdouts for a while longer.
Re: (Score:3)
No, the TLS flaw was MS14-066 and it affects XP as well but there is no generally available fix for it since XP is out of extended support. If you care at all about security you're no longer using XP so the fact that there is another critical flaw isn't going to significantly change the situation.
Re: (Score:2)
Re: (Score:2)
Kerberos V5 does run on xp. In fact it'll run on 2000.
Re: (Score:2)
only those that host Kerberos as part of the consolidated domain services.
Another feather in the cap for XP (Score:2)
Thank goodness I'm still running XP!
Of little impact for illiterate users (Score:2)
Its interesting that a patch on privelege seperation escalation, while be ranked serious, would have so little effect on most users because most computer illiterate users do not know how to use them, the OS contains what is a major problem in that it does not encourage these users to use the feature.
Most of your common windows users do not use any kind of privilege seperation, they go right in as a superuser account, because, they don't even know what any of this stuff is. Windows ironically seems designed
Re: (Score:2)
Re: (Score:2)
WAMP on xp does what I need.
Re: (Score:2)
XP? I'm still using MS-DOS 3.3 here.
Re: (Score:2)
You must like setting the system time every time it boots.
How did you manage to post to Slashdot on your 8088 anyway (hope you have the full 640K RAM!)?
Re: (Score:2)
This is 2014. The majority of nerds have more than one computer.
Re: (Score:2)
This is 2014. The majority of nerds have more than one computer.
Heck, that's a prerequisite of membership.
...
But look on the bright side - nerddom also requires more than one operating system
FTFY (Score:2)
Yet another reason to move forward to Linux.
Re: (Score:2)
An elevation of privilege affecting the entire domain is certainly critical, particularly when it's already being used in attacks.
This means that if the attacker has control of one machine in the domain, he or she can take control of every other machine, including the servers.
Re: (Score:2)
yes, and this is a vulnerability in the authentication/session key service which is basically an invitation to exploit using a skeleton key.
Sounds to me like Kerberos is fatally flawed (as in, it was designed to prevent this exact thing from happening by whitelisting users on a per-case basis assigning temporary privileges according to their stored credentials), and this is a temporary fix.
Re: (Score:2)
There's a bit more information available now:
http://blogs.technet.com/b/srd... [technet.com]
Re: (Score:2)
This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.
#
Source: https://technet.microsoft.com/... [microsoft.com]
Re: (Score:2)
no, it will affect any system which runs Kerberos. From 2K to ~.
The only difference is which OSen are in support cycle. Xp isn't one of them, and neither, clearly, is 2K. 2K3 is, but that's down to MS' decision to extend it, not, I think, due to any technical pressures or original scheduling.