Microsoft re-releases botched AD FS patch

Microsoft has re-issued one of the two updates which had to be withdrawn after last week's Patch Tuesday. The other remains withdrawn.

Last Tuesday was a bad Patch Tuesday for the Microsoft Server team. Two patches were issued, one for Exchange Server, one for AD FS (Active Directory Federation Services) 2.0, and both had to be withdrawn for problems.

Now Microsoft has re-released the ADFS patch, a.k.a. MS13-066. The FAQ in the updated security bulletin explains the problem with the initial release:

The rereleased update addresses an issue in the original offerings that caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement. Furthermore, in creating this rerelease, Microsoft has consolidated the fixes contained in the two original updates (2843638 and 2843639) into a single 2843638 update. 

Even if you already applied the previous buggy patch, Microsoft encourages you to apply the new one as soon as practicable. If you do so, you will not see the 2790338 rollup in your list of installed updates, just the new 2843638 patch.

The problem only affected AD FS 2.0, not 1.x or 2.1. The update will only be offered by WSUS if AD FS 2.0 is installed on the system.

Microsoft termed the vulnerability (CVE-2013-3185) an Information Disclosure vulnerability, but the potential effect of it is a DOS:

The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.

The other withdrawn update (MS13-061, vulnerabilities in an Oracle component in Exchange Server) remains withdrawn. Presumably the fix will involve coordination with Oracle.