Microsoft re-releases botched AD FS patch

Microsoft re-releases botched AD FS patch

Summary: Microsoft has re-issued one of the two updates which had to be withdrawn after last week's Patch Tuesday. The other remains withdrawn.


Last Tuesday was a bad Patch Tuesday for the Microsoft Server team. Two patches were issued, one for Exchange Server, one for AD FS (Active Directory Federation Services) 2.0, and both had to be withdrawn for problems.

Now Microsoft has re-released the ADFS patch, a.k.a. MS13-066. The FAQ in the updated security bulletin explains the problem with the initial release:

The rereleased update addresses an issue in the original offerings that caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement. Furthermore, in creating this rerelease, Microsoft has consolidated the fixes contained in the two original updates (2843638 and 2843639) into a single 2843638 update. 

Even if you already applied the previous buggy patch, Microsoft encourages you to apply the new one as soon as practicable. If you do so, you will not see the 2790338 rollup in your list of installed updates, just the new 2843638 patch.

The problem only affected AD FS 2.0, not 1.x or 2.1. The update will only be offered by WSUS if AD FS 2.0 is installed on the system.

Microsoft termed the vulnerability (CVE-2013-3185) an Information Disclosure vulnerability, but the potential effect of it is a DOS:

The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.

The other withdrawn update (MS13-061, vulnerabilities in an Oracle component in Exchange Server) remains withdrawn. Presumably the fix will involve coordination with Oracle.

Topics: Security, Servers, Windows Server

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • august updates

    and these aren't the only updates that are creating problems, IE for Windows 8.1 updates made a lot of problems while surfing the net,one of them is a Adobe Flash Player and a lot of pages can't be loaded for unknown reasons.Worst monthly patch MS ever did.
    Koko Bill
    • Lots of random problems

      I've been hearing of a lot of weird, random issues from the last updates, from file associations getting screwed up, to PCs having a really hard time starting up. These were XP systems, though, so maybe Microsoft doesn't even bother testing the XP updates and patches that much anymore.
  • blue screen

    after update ... system just crashed ...
    patrick lion