Microsoft was due to send out the Phase 3 security hardening for a Windows Kerberos elevation of privilege flaw it first confirmed last November. The company originally said last month that Phase 3 would arrive during April 2023 Patch Tuesday, which was this week. However, Microsoft now says it is delaying the release until June 13, 2023.
The story stems from last November when Microsoft confirmed an elevation of privilege vulnerability in Windows Kerberos, the identity authentication protocol. Following the confirmation, the company sent out a security fix for servers (KB5019081) as part of that month's Patch Tuesday.
The patch series targets the Windows Kerberos flaw that allows threat actors to change Privilege Attribute Certificate (PAC) signatures (tracked under ID “CVE-2022-37967”). At the time of its discovery and disclosure, the company described the issue in the following way:
“The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.
To help secure your environment, install this Windows update to all devices, including Windows domain controllers.”
Shifting to a June Release for Phase 3
Microsoft is now delaying the final Phase 3 update, confirming the change on the Windows Health Dashboard:
“Security hardening changes needed on domain controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase, as outlined in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 on June 13, 2023. Previous announcements had listed this change as taking place in April, however, that date has changed.”
Microsoft explains what users can expect when the Phase 3 lands in June:
- “Remove the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.”
Tip of the day: When Windows 10 or Windows 11 has issues, it's not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.
Using Windows startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it's important to try a Windows boot repair so you can at least narrow down the source of the issue. If it doesn't work, you may have to reinstall the OS or test your hardware.