SSL libraries of Microsoft Urgently patched again and when are you upgrading your servers ?

THe most important patch in the normal package of patches this month was in the SSL library although it wasn't clearly identified as such. It seems that Microsoft has decided to go through the code and processes and logic of its SSL library and processes and chains line by line (and discovered the 9 year old mistake).

Now the mistake they have discovered is in the Kerberos chain and makes it possible to forge a certificate. Kerberos is used by many enterprises as a cheap alternative to real certificates. But that it gets fixed fast - and out of band if there are reports that targeted attacks are being launched (without any attackcode being publicly available to this end) 

At one side you can say that it is worrying and the other side it is extremely comforting that they are putting so many resources in that (which is normal if you understand that Microsoft is in fact the only alternative to the openssl debacle). If you compare that to the one, two or three persons that will be going through all the code of openssl, you understand that Microsoft has a competitive advantage - even if some believed that all intellligent users of opensource software would check it for mistakes (as if they have nothing else to do). This dogma has to be proven totally wrong and will ask some fundamental rethinking 

"A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos.

The comments are closed.