Microsoft re-releases botched AD FS patch

Summary:Microsoft has re-issued one of the two updates which had to be withdrawn after last week's Patch Tuesday. The other remains withdrawn.

Last Tuesday was a bad Patch Tuesday for the Microsoft Server team. Two patches were issued, one for Exchange Server, one for AD FS (Active Directory Federation Services) 2.0, and both had to be withdrawn for problems.

Now Microsoft has re-released the ADFS patch, a.k.a. MS13-066. The FAQ in the updated security bulletin explains the problem with the initial release:

The rereleased update addresses an issue in the original offerings that caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement. Furthermore, in creating this rerelease, Microsoft has consolidated the fixes contained in the two original updates (2843638 and 2843639) into a single 2843638 update. 

Even if you already applied the previous buggy patch, Microsoft encourages you to apply the new one as soon as practicable. If you do so, you will not see the 2790338 rollup in your list of installed updates, just the new 2843638 patch.

The problem only affected AD FS 2.0, not 1.x or 2.1. The update will only be offered by WSUS if AD FS 2.0 is installed on the system.

Microsoft termed the vulnerability (CVE-2013-3185) an Information Disclosure vulnerability, but the potential effect of it is a DOS:

The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.

The other withdrawn update (MS13-061, vulnerabilities in an Oracle component in Exchange Server) remains withdrawn. Presumably the fix will involve coordination with Oracle.

Topics: Security, Servers, Windows Server

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.