Microsoft has released an out-of-cycle emergency security update to patch a Windows flaw being actively exploited by hackers.
The bug exists in the Kerberos authentication system used by all currently supported versions of Windows, and can be exploited to gain domain administrator system privileges and access rights.
“A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows,” explained Microsoft in a threat advisory.
“The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged.”
Microsoft said it was tipped off to the vulnerability by the Qualcomm information security and risk management team, and has since uncovered evidence that it is being exploited.
“When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. Note that the known attacks did not affect systems running Windows Server 2012 or Windows Server 2012 R2,” read the advisory.
The nature of the attacks remains unclear, although they have the potential to cause lasting damage.
Attackers with escalated privileges could install malicious software and compromise the victim’s entire network.
“An attacker could use this vulnerability to elevate an unprivileged domain user account to a domain administrator account [and] impersonate any user on the domain,” explained the advisory.
“By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system.”
Microsoft called on IT managers to install the update as soon as possible.
The out-of-cycle release comes one week after Microsoft released its November Patch Tuesday update. The update included 12 bulletins, four of which were rated ‘critical’.