Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication

Yesterday Microsoft re-released KB973811 ==> http://www.microsoft.com/technet/security/advisory/973811.mspx

This relates back to the original KB973917 ==> http://support.microsoft.com/kb/973917

and advisory MS09-071 ==> http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx

This affects the Extended Protection for Authentication functions within XP, Vista and Server 2003 ==> http://support.microsoft.com/kb/968389

It didn't show up in yesterday's Patch Tuesday review because Microsoft is classifying it as a "non-security upgrade". This is confusing to me, because the update actually includes mitigation against a credential forwarding attack, which you might see on an unencrypted, unsigned connection (yes, there's still a lot of that going around ! )

This update affects XP, Vista and Server 2003.  Windows 7 and Server 2008 R2 are not affected.

Thanks to our readers on letting us know about this one.  I'm still puzzled as to why this wasn't on Microsoft's list of security updates ...

=============== Rob VandenBrink Metafore ===============

Rob VandenBrink

515 Posts
ISC Handler
http://support.microsoft.com/kb/894199
The master listing of Windows based updates is there and that's where you can see the Ext Auth patch listed. It was a security advisory patch but not a true security update therefore why it was not officially listed as a security patch.

There is a server 2008 version of the patch that has been re-released as well.

http://support.microsoft.com/kb/973917/

Are you sure 968389 was re-released? I'm seeing that 973917 was rereleased?

Susan

34 Posts
Note On March 9, 2010, this update was rereleased to address an installation issue and a functional issue:
This update will now correctly detect when a computer that is running Windows Server 2003 Service Pack 2 (SP2) is in an installation where IIS 6 contains some Windows Server 2003 Service Pack 1 (SP1) binaries, and will refuse to install and exits with an error code. The versions of update 973917 that were released before this date will successfully install, but they could cause IIS to not restart after installation.
On a computer that is running Windows Server 2003, this rerelease addresses an issue that could cause excessive amounts of memory to be allocated upon enabling Extended Protection for Authentication.
On a computer that is running Windows Server 2008, this rerelease addresses an issue that could cause Extended Protection not to function correctly when IIS is configured to use kernel-mode Windows Authentication.
Susan

34 Posts

Sign Up for Free or Log In to start participating in the conversation!