Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Re-releases Windows Server Security Update

Microsoft has re-issued a patch for a Windows Server vulnerability after discovering an issue that could prevent the Active Directory Federation Services (AD FS) component to stop working.

Microsoft has re-issued a patch for a Windows Server vulnerability after discovering an issue that could prevent the Active Directory Federation Services (AD FS) component to stop working.

The bulletin, MS13-066, is aimed at closing a vulnerability that could reveal information pertaining to a service account used by AD FS. According to Microsoft, AD FS is a standards-based service allows the secure sharing of identity of information between trusted business partners across an extranet.

 “This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS),” according to Microsoft. “The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.”

The company re-released the bulletin to address an issue in the original bulletin that caused Active Directory Federation Services 2.0 to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed. The updated release removes that requirement.

The security update is rated Important for AD FS 2.0 when installed on non-Itanium editions of Windows Server 2008 and Windows Server 2008 R2; it is also rated Important for AD FS 2.1 when installed on Windows Server 2012, according to Microsoft.

So far, the company has not detected any attempts to exploit the vulnerability.

The move comes six days after Patch Tuesday and five days after Microsoft was forced to pull a security bulletin for a separate vulnerability affecting Microsoft Exchange Server 2013. In that case, after the update was installed, the Content Index for mailbox databases shows as failed and the Microsoft Exchange Search Host Controller service is renamed. Microsoft has not yet re-issued the update (MS13-061), which was intended to close three vulnerabilities and was rated ‘Critical’ by Microsoft. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.