MS13-066: Vulnerability in Active Directory Federation Services could allow information disclosure: August 13, 2013

INTRODUCTION

Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website:

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country:
International Support

More Information

Notes for computers running Windows Server 2012
  • Computers running Windows Server 2012 will be offered security updates 2843638 and 2843639. These packages are chain installed.
  • When the installation is complete, both updates 2843638 and 2843639 are listed in the list of installed updates.
  • Windows Update will not re-offer these security updates the previous versions are already installed.
Notes for computers running Windows Server 2008 R2 and Windows Server 2008
  • Computers running Windows Server 2008 R2 and Windows Server 2008 will only be offered security update 2843638. This package includes the security updates that are included in 2843638 and 2843639. Windows Update will not re-offer these security updates the previous versions are already installed.
  • When the installation is complete, only update 2843638 is listed in the list of installed updates.
  • A previous revision of this security update required that http://support.microsoft.com/kb/2790338 be applied to avoid functionality issues with security update 2843639. This dependency is no longer required for computers running Windows Server 2008 R2 and Windows Server 2008.
  • Windows Update will re-offer security update 2843638 if the previous version of the security update is already installed.

Known issues and additional information about this security update

  • Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed.

    On August 19th 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who already installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.


The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link.
  • 2868846 MS13-066: Description of the security update for Active Directory Federation Services 1.x: August 13, 2013
    Note After you install this security update, you must edit the Clientlogon.aspx page to add the text "autocomplete=off" for the Username and Password text boxes to manually complete the installation.
  • 2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013



    Known issues in security update 2843638:
    • Microsoft Knowledge Base article 2843638 describes several issues that are resolved by hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
  • 2843639 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013




    Known issues in security update 2843639:
    • Knowledge Base article 2843639 describes several issues that are resolved by hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
    Note After you install this security update, you must edit the FormsSignIn.aspx page to add the text "autocomplete=off" for the Username and Password text boxes to manually complete the installation.

FILE INFORMATION

File hash information
Properties

Article ID: 2873872 - Last Review: Nov 20, 2013 - Revision: 1

Feedback