Microsoft Security Bulletin MS14-066 - Critical

Posted on 2014-11-19
Medium Priority
Last Modified: 2014-11-25
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

we are planning to deploy this out of band patch that released yesterday.
before that can I know whether it critical on Domain controllers and less critical on Servers. we will have to plan to patch it accordingly.

If it is critical on DCs, we will do right away. hope it can wait on other server editions for some time.
please confirm.

how about servers in DMZ, how critical in that environment?
Question by:Good
LVL 37

Accepted Solution

Neil Russell earned 1000 total points
ID: 40453267
As with ANY critical patch release, read the info from Microsoft.

This is over a week old now and yesterdays release was version 2 of the fix.  It is rated as critical on an OS basis, not what or where the OS installed.  A windows server is a windows server. AD is a role installed ontop of the server, therefore the server is still an affected server.

Author Comment

ID: 40454136
affected OS is windows OS, but if we the component mainly affected is kerberos KDC which is main component of Domain controller?
LVL 31

Assisted Solution

by:Rich Weissler
Rich Weissler earned 1000 total points
ID: 40460820
  Last Tuesday, an out of band announcement was made, and two security bulletins were impacted.
  First, MS14-066, concerning the SChannel update you mentioned originally, was updated.  They pulled back the Windows 2008 R2, and Windows 2012 patch and replaced them because folks were encountering issues with some of the encryption algorithms.  Yes, its bad, but it impacts may servers... not just DCs.
  Second, MS14-068 was released.  This is the one that impacts Kerberos on DCs.  Folks are running around screaming because apparently there are limited exploits, and I haven't seen that folks are saying that they are 'in the wild' yet.  Yes, install it on your DCs as soon as feasible, after testing of course.  The Microsoft bulletin indicates that it changes a check done by Kerberos, so unless someone is using malformed ticket requests, I don't anticipate problems with the changed code.  (In my testing thus far, I haven't seen any issues.)  The patch is being offered to other systems as well, apparently out of an overabundance of caution.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question