icetray - Fotolia

Microsoft releases out-of-band update for Windows Server

Less than a week after November's Patch Tuesday, Microsoft released an unscheduled security update for Windows Server to address an authentication vulnerability.

Microsoft has issued a rare out-of-band security update to address a vulnerability on some Windows Server systems.

The update, released Sunday, should be applied to Windows Server 2008, 2012, 2016 and 2019 installations where the server is being used as a domain controller. Machines only running Active Directory are not impacted.

Administrators are being advised to test and install the updates in order to address an authentication issue that was discovered and detailed last week. Microsoft said the vulnerability was causing the servers to fail to authenticate users that relied on single sign-on tokens and some Active Directory and SQL Server services.

The Windows security advisory said the intent of the update was "to resolve issues in which authentication might fail on DCs with certain Kerberos delegation scenarios on all supported versions of Windows Server when used as a Domain Controller."

According to Microsoft, the problem was the way Windows Server was handling Kerberos authentication tokens. Specifically, a bug in the S4u2self extension was causing Kerberos tickets to fail to properly authenticate.

While the decision to push an update outside of Microsoft's normal monthly Patch Tuesday schedule is relatively uncommon, Microsoft will on occasion go out of band in order to address potentially serious issues, in this case a bug that was causing authentication failures.

Last week, Microsoft issued the November edition of Patch Tuesday, addressing a total of 55 CVE-listed vulnerabilities. Of those, two vulnerabilities had been exploited in the wild as zero-day flaws and an additional four had been made public prior to patching.

Monday's update will further add to the patching workload for companies still working to test and install the dozens of Patch Tuesday updates as well as fixes from Adobe posted on the same day.

There is some good news to be had for administrators, however. Because the bug only affects Windows Server systems being used as a domain controller, end-user PCs running the client version of Windows will not need to be updated.

Because the fix is not being distributed through the automated Windows update service, it will need to be obtained through the Windows Server Update Services portal.     

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing