Microsoft releases out of band update for Windows Server

Microsoft has released a rare out of band security update to address a vulnerability on certain Windows Server systems.

The update, released on Sunday, is expected to be applied to Windows Server 2008, 2012, 2016, and 2019 installations where the server is used as a domain controller. Machines running only Active Directory are not impacted.

Administrators are advised to test and install updates to resolve an authentication issue that was discovered and detailed last week. Microsoft said the vulnerability prevented servers from authenticating users that relied on single sign-on tokens and certain Active Directory and SQL Server services.

The Windows security advisory stated that the intent of the update was to “resolve authentication failure issues on domain controllers with certain Kerberos delegation scenarios on all supported versions of Windows Server when used as a domain controller ”.

According to Microsoft, the problem was the way Windows Server handled Kerberos authentication tokens. Specifically, a bug in the S4u2self extension prevented authentication of Kerberos tickets.

While the decision to push an update outside of the normal Microsoft Patch Tuesday monthly schedule is relatively rare, Microsoft will occasionally go out of band in order to fix potentially serious issues, in this case a bug that caused authentication failures.

Last week Microsoft released the November Edition of Patch Tuesday, addressing a total of 55 CVE listed vulnerabilities. Of these, two vulnerabilities had been exploited in the wild as zero-day vulnerabilities and four more had been made public before the patches were applied.

Monday’s update will further increase the patch workload for companies still working to test and install the dozens of Patch Tuesday updates as well as the fixes from Adobe released on the same day.

There is good news for administrators, however. Since the bug only affects Windows Server systems used as domain controllers, end user PCs running the client version of Windows will not need to be updated.

Because the hotfix is ​​not distributed through the Automated Windows Update Service, it will need to be obtained through the Windows Server Update Services portal.

Comments are closed.