Microsoft has released an emergency patch for a flaw in Windows that could potentially allow anyone in a company to log in as the CEO.
The update fixes a bug in the Kerberos authentication system that could allow attackers to elevate their privileges across a domain. It could potentially allow any employee account to compromise any computer within that domain, inlcuding the systems of the domain controllers or even the CEO.
"An authenticated domain user could send the Kerberos KDC a forged Kerberos ticket which claims the user is a domain administrator," says Microsoft's security alert. "Kerberos KDC improperly validates the forged ticket signature when processing requests from the attacker, allowing the attacker to access any resource on the network with the identity of a domain administrator."
The patch has been released immediately, rather than in the regular Patch Tuesday cycle, because Microsoft has been made aware of "limited, targeted attacks that attempt to exploit this vulnerability".
If exploited, the attackers could wreak havoc on the company's network. "An attacker that successfully exploited this vulnerability could impersonate any user on the domain, including domain administrators, and join any group," says Microsoft. "By impersonating the domain administrator, the attacker could install programs; view, change or delete data; or create new accounts on any domain-joined system."
The patch covers all supported versions of Windows and Windows Server, although Microsoft says Server 2012 systems were not vulnerable to the flaw.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
