Microsoft has re-released one of the August security patches for Windows Server 2008 in order to fix a regression issue that would cause some servers to stop working. The MS13-066 patch was released again Monday after Microsoft discovered the problem last week.
The patch in the MS13-066 update fixes a vulnerability Active Directory Federation Services that could enable an attacker to cause a denial-of-service condition on a vulnerable server under the right circumstances.
“This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance,” Microsoft said in the original bulletin.
The vulnerability affects several versions of Windows Server 2008, as well as Windows Server 2003 and Windows Server 2012. However, the regression issue that caused the re-release of the patch only affected Server 2008 installations. Customers that run affected versions should reinstall the patch.
“Microsoft rereleased this bulletin to announce the reoffering of the 2843638 update for Active Directory Federation Services 2.0 on Windows Server 2008 and Windows Server 2008 R2. The rereleased update addresses an issue in the original offerings that caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement. Furthermore, in creating this rerelease, Microsoft has consolidated the fixes contained in the two original updates (2843638 and 2843639) into a single 2843638 update. Customers who already installed the original updates will be reoffered the 2843638 update and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates,” the update says.
It’s not unheard of for Microsoft to reissue patches, and it typically occurs when there’s an unforeseen error like this one that ends up breaking another service or feature.
