'Devastating' flaw found in Windows' authentication system (Uh-oh, a major Kerberos vulnerability)

The Register ^ | Dec 15, 2015 | Kieren McCarthy

[dayglored]

Looks pretty bad.

[dayglored]

Major vulnerability in Windows Kerberos security ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to ShadowAce for the ping!!

[ctdonath2]

Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld.
He was named by Hades.
Kerberos means “spotted”.

So yeah:
The god of the Greek underworld named his three-headed guardian dog “Spot”.

[Lurkina.n.Learnin]

Is this just on servers or is it something all users have to worry about?

[dayglored]

> Is this just on servers or is it something all users have to worry about?

I assume it's mainly a problem for servers in business network settings (Active Directory authentication for example), and not as much of a problem for your typical home user.

[freds6girlies]

bookmark

[deoetdoctrinae]

[SunTzuWu]

Until you read the last line.

[tacticalogic]

It is important to be aware that only organizations that already have a fully compromised domain controller are vulnerable to this technique.

If they already own your DC you're screwed anyway.

[miliantnutcase]

Yeah, so this is only a problem if your DC is already hijacked lol... well by that point you’ve got a ton shit to be worried about!

[Organic Panic]

I just had the fun surprise of Windows 10 after about 2 months. One of the updates wiped out the installations of my CAD FEA and CNC software. GREAT!!! And it’s too late to roll it back and the only solution is to upgrade my software...To the tune of $8500. Luckily it’s only one laptop and my old one still works fine.

Back to Windows 7

This admin vulnerability sounds bad. But it sounds to me something Obama is very interested in.

[SeeSharp]

One of the updates wiped out the installations of my CAD FEA and CNC software.

Is it a FLEXLM license issue? I'm kinda worried about that myself.

[stylin19a]

The flaw cannot be fixed and the only solution is to introduce and use Microsoft's Credential Guard program

Must be running Windows 10 enterprise edition.

[Ray76]

Taking a peek at the wayback archive shows that MS has known about this since 2014 at least.

[GingisK]

Microsoft crud is just to complex to comprehend. It has gotten well away from its authors. Even USB mice don’t work correctly any longer ... I suppose contact bounce isn’t being taught in Microsoft Land any longer.

[Dalberg-Acton]

I get that too. Thought it was just me.

[Company Man]

As I understand it Kerberos authentication is only used in enterprise environments.

[dayglored]

> If they already own your DC you're screwed anyway.

I think the point is that no vulnerability should be "excused away". Flaws -- regardless of where and what they are -- should get identified, analyzed, and fixed.

I'm sure you're not actually saying that there's no value to fixing the vuln, right?

[dayglored]

> As I understand it Kerberos authentication is only used in enterprise environments.

Depends on your definition of "enterprise". You only need an Active Directory server (domain controller) and half a dozen Windows client machines to consider using Kerberos auth, if you think it makes sense in your network. You don't have to be one of the big guys.

[mrsmith]

“to complex to comprehend”
I turned on my virus-free pretty clean home W10 and ran a netstat... got 4 or 5 pages of active connections. Half of them don’t make a lick of sense and there’s no info on the web. I just have to go along on faith...