Microsoft has re-issued a patch for a Windows Server vulnerability after discovering an issue that could prevent the Active Directory Federation Services (AD FS) component to stop working.
The bulletin, MS13-066, is aimed at closing a vulnerability that could reveal information pertaining to a service account used by AD FS. According to Microsoft, AD FS is a standards-based service allows the secure sharing of identity of information between trusted business partners across an extranet.
“This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS),” according to Microsoft. “The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.”
The company re-released the bulletin to address an issue in the original bulletin that caused Active Directory Federation Services 2.0 to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed. The updated release removes that requirement.
The security update is rated Important for AD FS 2.0 when installed on non-Itanium editions of Windows Server 2008 and Windows Server 2008 R2; it is also rated Important for AD FS 2.1 when installed on Windows Server 2012, according to Microsoft.
So far, the company has not detected any attempts to exploit the vulnerability.
The move comes six days after Patch Tuesday and five days after Microsoft was forced to pull a security bulletin for a separate vulnerability affecting Microsoft Exchange Server 2013. In that case, after the update was installed, the Content Index for mailbox databases shows as failed and the Microsoft Exchange Search Host Controller service is renamed. Microsoft has not yet re-issued the update (MS13-061), which was intended to close three vulnerabilities and was rated ‘Critical’ by Microsoft.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- UN Experts: North Korean Hackers Stole Record Virtual Assets
- Russian Admits in US Court to Laundering Money for Ryuk Ransomware Gang
- A Deep Dive Into the Growing GootLoader Threat
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- Patient Information Compromised in Data Breach at San Diego Healthcare Provider
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
