MS16-137: Description of the security update for Windows authentication methods: November 8, 2016

Applies to: Windows Server 2008 Service Pack 2Windows Server 2008 DatacenterWindows Server 2008 Enterprise More

Summary


This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first have to authenticate to the targeted domain-joined system by using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then create accounts, install programs, or view, change, or delete data. The attacker could then try to elevate privilege locally by executing a specially crafted application that could manipulate NTLM password change requests.

To learn more about the vulnerability, see Microsoft Security Bulletin MS16-137.

More Information


Important
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you require before you install this update. For more information, see Add language packs to Windows.

Known issues in this security update

User-initiated and programmatic password changes to domain user accounts may fail if the same user account is logged on to more than one computer at the same time and is used to make password changes to the same user account from two or more computers. Such password changes fail only if NTLM is used. 

Specifically, the following errors are returned: 

Hexadecimal Decimal Error ID Error description
0xc0000388 1073740920 STATUS_DOWNGRADE_DETECTED The system detected a possible attempt to compromise security. Please make sure that you can contact the server that authenticated you.
0x4f1 1265 ERROR_DOWNGRADE_DETECTED The system detected a possible attempt to compromise security. Please make sure that you can contact the server that authenticated you.

Example scenario

  1. A domain user logs on to computer A and computer B.
  2. The user changes their domain password from computer A without logging off computer B.
  3. The domain user tries to change their password from computer B. 
In this scenario, the password change attempt from computer B may fail with the following error message:

The system detected a possible attempt to compromise security. Please make sure that you can contact the server that authenticated you.

If the password change is performed programmatically, you may receive either an ERROR_DOWNGRADE_DETECTED or a STATUS_DOWNGRADE_DETECTED error status. This behavior occurs when the NTLM authentication package is used for the password change for domain accounts if Kerberos fails to find a domain controller and then falls back to NTLM. In this scenario, NTLM fallback was disabled by MS16-101 and was re-enabled by MS16-137-related updates.


Calling NTLM directly also causes password changes to fail in this scenario. To resolve all domain password change issues, make sure that Kerberos is functional, and also make sure that Kerberos is used for password changes to domain accounts. For more information, see the "Known issue 1" section in KB 3167679 .

How to obtain and install the update


Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.

Note For Windows RT 8.1, this update is available through Windows Update only.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

More Information


File Information