When Microsoft published a critical update this month for multiple versions of Windows Server, it also released a fix for several previous versions of the Windows client OS which includes even the technical preview for Windows 10.
It’s critical to get the patch out for Windows Server: An develpment affecting Windows Server 2008 R2 and earlier versions has already been detected, and Windows Server 2012 and later releases are vulnerable to a related but more difficult attack.
But the vulnerability isn’t currently in the desktop systems of Windows. In Windows Server, the flaw enables attackers to employ the username and password of anybody in an Active Directory domain to get the same system privileges as a domain administrator, using a false Privilege Attribute Certificate to trick the Kerberos Domain Controller that manages the remote access.
The bulletin for the patch states there’s never security impact for the client versions of Windows. Then why did Microsoft also provide an update for Windows Vista, Windows 7, Windows 8, Windows 8.1 and the Windows 10 Technical Preview?
The reason is that although they do not have the specific vulnerability, inspecting the Windows source code to learn how the Privilege Attribute Certificate could be false revealed some older code that Microsoft wasn’t satisfied with any longer, a representative from the company told us. That could indicate other potential attacks, although they declined to provide more relevant details.
“The ‘hardening’ on the client side is the replacement of the previous code with newer code. In our investigation, although we did not find a vulnerability on these platforms, we did discover a code that needed to be improved for meetting our present security standards,” the representative expressed.
Although Microsoft hasn’t said whether Windows XP also had the problem code, it’s likely it does given the age of the code involved. As XP is out of support, only companies that are paying for extended support contracts would get an update for it — another incentive for anyone still using the older OS to upgrade.
The update applied to the Windows Server Technical Preview as well, but Microsoft said it doesn’t list security impact and severity ratings for previews. “As customers know, beta software is not fully supported and we do not want to cause customer confusion,” the representative said.