Agreed. So your take is like mine that KB3018238 is a bug fix, and is not required to patch the vulnerability?
gt > Date: Sun, 23 Nov 2014 08:11:44 -0800 > From: sbrad...@pacbell.net > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] MS14-066 Round Two > > P.S. > > Microsoft should not be ADDING new cipher deployments in a security > patch. That should have been included as an optional update. Don't be > thowing too much into a patch. This isn't the time to be adding new > stuff when you clearly are not testing as well as you used to. > > Sorry this isn't bitching, but Microsoft needs to up their game here. > They are the ones not doing their job. > > Susan Bradley > http://blogs.msmvps.com/bradley > http://www.runasradio.com/default.aspx?showNum=390 > > On 11/23/2014 7:57 AM, John Matteson wrote: > > > > *Well, as I understand it, the emergency patch MS-14-68 is to fix an > > issue that will allow an attacker to get elevated privileges.* > > > > ** > > > > *This is the text from the bulletin:* > > > > ** > > > > *Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)** > > * > > This security update resolves a privately reported vulnerability in > > Microsoft Windows Kerberos KDC that could allow an attacker to elevate > > unprivileged domain user account privileges to those of the domain > > administrator account. An attacker could use these elevated privileges > > to compromise any computer in the domain, including domain > > controllers. An attacker must have valid domain credentials to exploit > > this vulnerability. The affected component is available remotely to > > users who have standard user accounts with domain credentials; this is > > not the case for users with local account credentials only. When this > > security bulletin was issued, Microsoft was aware of limited, targeted > > attacks that attempt to exploit this vulnerability. > > > > *Management can piss and moan all they want to, but do they really > > want to leave their servers, including domain controllers, open to an > > attack with a known in the wild exploit?* > > > > ** > > > > *Doesn’t sound to me like this is Microsoft crying wolf, but a tech > > bitching about having to do his job.* > > > > ** > > > > *From:*listsad...@lists.myitforum.com > > [mailto:listsad...@lists.myitforum.com] *On Behalf Of *geoff taylor > > *Sent:* Sunday, November 23, 2014 10:17 AM > > *To:* ntsysadm@lists.myitforum.com > > *Subject:* [NTSysADM] MS14-066 Round Two > > > > I am trying to determine if v 2.0 of MS14-066 is necessary to stem the > > vulnerability for Win2K8R2 and Win2012. We just got the first version > > with KB2992611 installed and now MS says that to have the install > > completed I must also install KB3018238. Fair enough. MS screwed up > > and now I need to patch the patch. > > > > But here is my issue. It is not clearly stated whether the > > vulnerability was already resolved and > > KB3018238 is just to fix the TLS cyphers. (That is my interpretation). > > > > Upper management does not react well to URGENT patches that take down > > servers across the environment. To do it twice in one week, not cool > > MS. Are you listening? If I am not experiencing the cypher issue, I'll > > add the second patch, but on my regular schedule. Give me the > > information to make an informed decision. > > > > Sorry have to run...I hear a faint call of "Wolf" from the hill. > > > > > > gt > > > > >
