Patch-Tuesday-One-Week-Later_SQI’m writing this on “Aftermath Tuesday” – one week after this month’s huge slate of patches came down the pike from Microsoft.  Given all the update woes we’ve experienced this past year, did anyone really think they were going to be able to issue so many patches and have them all be problem free? Probably not, and for some users and IT pros, the fears were warranted. Reports of various problems with various patches have started to trickle in, and they range from annoying to crippling.

Our Patch Central blog has received more comments regarding problematic updates this month than ever before, and web sources such as Woody Leonhard over at InfoWorld are also reporting on compatibility problems, error messages and undesirable behavior following the installation of patches. Some users aren’t able to get some of the updates to install at all. The forums are aflutter with complaints and pleas for help regarding last week’s patches.

Some of the most serious problems are occurring with MS14-066 (KB2992611), the SChannel patch that got so much press when it was released. This patch is reported to cause severe performance problems on SQL Server, problems with the Chrome browser communicating with IIS web servers, and disconnections of TLS 1.2 sessions during the key exchange process. There are also compatibility problems with IBM’s B2B Integrator and File Gateway.

We have also received a report of problems with MS14-065 (KB3003057), which is this month’s cumulative security update for Internet Explorer. Problems include crashes of IE 11, inability to connect to the Internet after installing the patch, and incompatibilities with specific software including Epim and the IWebBrowser interface. We also heard about MS14-070 (KB2989935) causing unexpected behavior with Websphere Application Server. In most of these cases, uninstalling the patches fixes the problems.

Microsoft is receiving the feedback about the unintended consequences many are experiencing after installing these patches and we can hope that they will reissue some of the patches and/or release fixes or workarounds soon.

Meanwhile, a new “out of band” patch was released today. Patch releases outside of the regular Patch Tuesday schedule are relatively rare, and generally reserved for very severe zero day type vulnerabilities are that already being exploited or have been publicly disclosed and thus the risk of imminent exploit is high.

This one is a little different, though. Last week’s release was unusual in that the Advance Notification the week before announced the impending release of 16 patches but on Patch Tuesday, only 14 updates appeared. Two numbers, MS14-068 and MS14-075, were deferred with the label “Release date to be determined.”

MS14-068 (KB3011780) is the patch that was released today, November 18. The vulnerability that it addresses is rated critical and affects all currently supported versions of Windows Server – 2003, 2008/2008 R2, 2012/2012 R2 – but it was reported privately and the attacker has to have valid domain logon credentials to be able to exploit it. The critical rating and the decision to release it now instead of waiting until next month’s Patch Tuesday were probably based on the fact that Microsoft is aware of some limited attacks that have taken place in the wild and that exploit the vulnerability.

MS14-068 addresses a checksum vulnerability in Kerberos Key Distribution Center (KDC) that, due to failure to properly validate signatures, can allow certain types of Kerberos service tickets to be forged. An attacker can use this to elevate privileges remotely, gaining domain administrator privileges with an unprivileged domain user account. The attacker would be able to impersonate any domain user and join any domain group. Obviously this would give the attacker full control over the domain.

Windows Server domain controllers that are set up to function as Kerberos KDCs should be patched as soon as possible. This includes server core installations. In addition to fixing the Kerberos vulnerability, the update also includes some additional defense-in-depth system hardening. For that reason, it should also be applied to Windows client systems – Vista, Windows 7 and Windows 8/8.1 – even though they are not at risk from the Kerberos vulnerability.