Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Microsoft Out of Band Security Bulletin MS14-068 Released

Nov 18, 2014 2:57AM PST
Microsoft Security Bulletin MS14-068 - Critical

Published: November 18, 2014

Summary:

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3011780.

Bulletin continued: https://technet.microsoft.com/library/security/MS14-068

Discussion is locked

- Collapse -
Do these show up in windows updates & applied automatically?
Dec 1, 2014 12:05AM PST

The reason I ask is that a couple of times during the past couple of months, when I restarted my computer, which I do from time to time, I get a message to not turn off the computer while its applying security updates. Yet when I go to windows updates / view reliability history, nothing is listed. And when I go to windows updates to see 'history', again, nothing is listed. Just to be clear, I'm not talking about the monthly "Tuesday" updates, these are as you state "out of band security" updates. I seem to recall "windows / software distribution / downloads", but I really don't see anything there. Windows 8.1, all updates, windows defender. And no, windows defender 'daily' updates are shown on the 'view reliability history'.

thanks for all you do,

Eddie

- Collapse -
They should..
Dec 2, 2014 5:21PM PST

Eddie,

The short answer is they should install automatically and indicate they were installed.

However, taking into consideration the 'Do not turn the computer off while applying updates' message, I'm left wondering if they actually installed. IF the the updates apply to your system, and IF you're unable to find them listed anywhere, I would question it.

Was there any additional information noted prior to 'Do not turn the computer off'? For example, did it read something such as, "We could not complete the updates. Undoing changes. Do not turn the computer off"? Or anything else which might indicate it didn't install properly?

Let us know. And by the way, thanks for .. "the thanks". Happy
Carol

- Collapse -
Do not turn the computer off while applying updates' message
Dec 2, 2014 10:47PM PST

Yes, that is the message I have seen. "IF you're unable to find them listed anywhere, I would question it." After further review I was able to find where they are listed. Control Panel / Windows Updates / View Update History / Installed updates.

"Was there any additional information noted prior to 'Do not turn the computer off'? For example, did it read something such as, "We could not complete the updates. Undoing changes. Do not turn the computer off"? Or anything else which might indicate it didn't install properly?" - Short answer no.

There may be a partial answer in that I reinstalled my system on 10/23/2014. I reinstalled all my programs and did all the updates at that time. Took a little while but everything was up and running after a few hours. I created my own "list" of how and what to install so that I can do a reinstall as quickly as possible. However between 10/30 & 10/31 "17" updates were applied for Microsoft office and powerpoint after receiving the "do not turn the computer off" message. Just to be clear I usually restart or shutdown the computer every four or five, just because. Maybe this is not necessary, but that's how these "updates" did in fact get installed. Also, on 11/20 there were '3' security microsoft windows updates and 1 on 11/28.

Now that I found where they are listed, I guess there is a partial answer, but still, I would have thought they would have shown up in windows updates as 'needing to be install'. Which brings up my initial inquiry.

Thanks for replying,

Eddie

- Collapse -
Maybe change windows updates from auto
Dec 2, 2014 11:07PM PST

to "let me choose" will solve my issue.

Just saying,
Eddie

- Collapse -
Yep, Most Like the "Let Me Choose" Option..
Dec 3, 2014 1:44AM PST

Sorry I came into this a little late, but the out-of-band updates are handled by Windows exactly as the monthly "Tuesday" updates. Yep, you found them correctly in the "Installed Updates" section and if you've got the updates set to install "Automatically", then you'll frequently get the "Do Not turn off the computer" message. It allows the updates to install correctly and doesn't interrupt your normal computer work.

That said, if you still like the basic idea of updating the computer automatically, but still allowing you to choose when they're installed, then the "Let me choose" option is the best option for you. The updates are still downloaded and installed in the same manner, but you will be notified when the updates are available and you can then decide when the installation process will occur.

Just a note: For many of us, even though it's not a recommended method, we choose to turn off automatic updates entirely. Every second Tuesday of the month, we manually visit the Windows Update site and scan for updates, then install those updates that are necessary. This method is ONLY for those who are diligent and keep current on any new updates that are released, but is an option which is available. It's your choice.

Hope this helps.

Grif

- Collapse -
Let me choose option selected
Dec 3, 2014 6:07AM PST

I guess, mystery solved. I still would have thought that there would have been 'something' to tell me that I needed to reboot so that the updates could be installed. Could be someone wouldn't 'reboot' for some time, maybe even from one "Tuesday" to the next "Tuesday". As the kids say, whatever, issue resolved.

Thanks for replying, Grif

Eddie

- Collapse -
The "Reboot" Occurs AFTER You Shut Down the Comp
Dec 3, 2014 11:13AM PST

With the automatic method, the computer installs the updates, then shuts down. The next time you restart the machine, you've rebooted it. No request is necessary.

With the "Let Me Choose" option, there is normally a notice to restart/reboot after the installation occurs. It's required because you haven't shut the computer down. The same restart/request is given when you manually install the updates.

Hope this helps.

Grif

- Collapse -
I'm sorry I don't understand
Dec 3, 2014 12:22PM PST

My computer 'was' set for auto download and install. (Now changed to let me choose.) The point of my initial question, if you will, was that 'nothing' happen after this process. Nothing that is, until "I" manually rebooted, just because "I" wanted to reboot. There was nothing telling me to reboot. I didn't know that "updates" had occured and therefore I "needed" to reboot. I know that on "Tuesdays", in my case actually Wednesday's, I have gone to the 'windows updates' place, checked to see if there were any updates, told it to download and install same. And at the end of the process, there was "always" a message telling me that I needed to restart the computer "or" it would automatically restart in 24 hours. I, of course, always restarted at that time. Again, the whole point was I didn't know I 'needed' to restart. So, I have to assume that because I was "manually" checking, I saw a "list" and acted accordingly. And If I hadn't "manually" done anything then the computer would have automatically rebooted. O.K.

Anyway, with the 'let me choose' option I'm assuming the issue is resolved.

Eddie

- Collapse -
Well,,,,, It Depends...
Dec 4, 2014 5:50AM PST

Hopefully, I can clarify. And please believe me, I understand why this is confusing. And YES, I believe your issue is resolved.

First, please note that some types of updates do NOT require a restart to be installed. With your previous "Automatically download and install" setting, the update would be installed and you might not even know about it unless you know where to look. (Apparently, you now know where to check for updates but even then, some of them are hard to find.) Occasionally, those same updates will require Windows to reconfigure itself when the computer starts the next day.. That explains why you might see the "Do not shut down the computer" message and possibly a percentage display of the configuration process.

Second, please note that to the computer, a shutdown, then a restart the next day is the same as a 'reboot'. No secondary "reboot" is needed. As you've indicated, when you visit the Windows Updates site, then download and install the updates that have been detected during the update scan, you are asked to restart the computer, which you normally do immediately. (I do as well) During the reboot of the computer, you should notice the computer tells you not to shut down the computer and you'll also see a percentage display which generally proceeds to about 33%, then the computer shuts down and it restarts. Upon the restart, you'll once again see the warning against shutting down the computer, and the percentage display appears again, this time proceeding to 100%, after which you'll see the login screen. Such is normal when using the Windows Updates site and it's why I tend to use it exclusively, instead of automatic updates.

On the other hand, with the "automatically download and install" setting, the updates are downloaded automatically but are usually installed just prior to when the computer is shut down. The next morning when you start the computer, the only thing you will see is the "do not shut down the computer" warning and possibly the percentage display of the configuration process. In all of these cases, you won't see the updates listed as successful until after the configuration process is finished. This should also explain why you see the "Do no shut down the computer" after starting up in the morning, and also why you might not have seen the installed updates listed.

Hope this helps. Or maybe I confused you more......

Grif

- Collapse -
(NT) Understood - Thanks Grif for taking the time.
Dec 4, 2014 6:16AM PST
- Collapse -
(NT) Glad WE Could Help !
Dec 4, 2014 7:38AM PST