MS15-121: Security update for Schannel to address spoofing: November 10, 2015

Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

Summary


This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow spoofing if an attacker performs a man-in-the-middle (MiTM) attack between a client and a legitimate server.

To learn more about the vulnerability, see Microsoft Security Bulletin MS15-121.

More Information


Important
  • All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Known issues in this security update

  • 3144474 TFS application pool and Certreq.exe crash after security update 3081320 is installed in Windows Server 2012 R2
  • This update makes changes that are required for the Extended Master Secret Transport Layer Security (TLS) extension. These changes will break any existing Cryptographic Next Generation (CNG) SSL providers. We recommend that you work with your vendor to update your CNG SSL providers. In the meantime, to work around this issue, you can edit the registry to disable the Extended Master Secret extension.


    Warning This workaround should only be used as a temporary measure until you update your CNG SSL providers. This workaround will disable this security update, and therefore this workaround will remove the protection that is provided by this security update. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.


    For more information, visit the following Microsoft webpage:
    ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows
    To make these registry changes, follow these steps:
    1. Click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate and then click the following subkey in the registry:
      HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel
    3. On the Edit menu, point to New, and then click DWORD Value.
      • For the computer that is receiving the connection request, type DisableServerExtendedMasterSecret: REG_DWORD for the name of the DWORD, and then press ENTER.
      • For the computer that is initiating the connection request, type DisableClientExtendedMasterSecret: REG_DWORD for the name of the DWORD, and then press ENTER.
    4. Right-click the new DWORD entry, and then click Modify.
    5. Type 1 (or any non-zero value) in the Value data box to disable the TLS extension.
    Note You do not have to restart the computer after you make changes to the DisableClientExtendedMasterSecret registry settings. However, you must restart the computer if you delete the DisableClientExtendedMasterSecret registry settings.

How to obtain and install the update


Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.

Note For Windows RT and Windows RT 8.1, this update is available through Windows Update only.

More Information