Microsoft has re-issued a patch for a Windows Server vulnerability after discovering an issue that could prevent the Active Directory Federation Services (AD FS) component to stop working.
The bulletin, MS13-066, is aimed at closing a vulnerability that could reveal information pertaining to a service account used by AD FS. According to Microsoft, AD FS is a standards-based service allows the secure sharing of identity of information between trusted business partners across an extranet.
“This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS),” according to Microsoft. “The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.”
The company re-released the bulletin to address an issue in the original bulletin that caused Active Directory Federation Services 2.0 to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed. The updated release removes that requirement.
The security update is rated Important for AD FS 2.0 when installed on non-Itanium editions of Windows Server 2008 and Windows Server 2008 R2; it is also rated Important for AD FS 2.1 when installed on Windows Server 2012, according to Microsoft.
So far, the company has not detected any attempts to exploit the vulnerability.
The move comes six days after Patch Tuesday and five days after Microsoft was forced to pull a security bulletin for a separate vulnerability affecting Microsoft Exchange Server 2013. In that case, after the update was installed, the Content Index for mailbox databases shows as failed and the Microsoft Exchange Search Host Controller service is renamed. Microsoft has not yet re-issued the update (MS13-061), which was intended to close three vulnerabilities and was rated ‘Critical’ by Microsoft.
