Last week, I wrote on the arrival of Microsoft’s security bulletin MS14-066, containing a security update addressing several vulnerabilities in the Secure Channel. Yesterday, Microsoft issued an updated version of the update.
Some customers have reported an issue to Microsoft, that is related to the changes in this release. These changes added the following new cipher suites to Windows Server 2008 R2 and Windows Server 2012. In order to give customers more control over whether these cipher suites are used in the short term, we are removing them from the default cipher suite priority list in the registry.
Note If you downloaded and then installed this security update from the Microsoft Download Center for Windows Server 2008 R2 or Windows Server 2012, we recommend that you reinstall the security update from the Download Center. When you click the Download button, you will be prompted to select the check boxes for updates 2992611 and 3018238. Click to select both updates, and then click Next to continue with the updates. These packages will require two restarts in sequence during installation.
A new secondary package was added to KB2992611 for Windows Server 2008 R2 and Windows Server 2012. In the new version for the update, the contents of the previous update are separated into to update packages:
- The first part, that keeps the same KnowledgeBase article number (KB2992611)
- The second part that only includes the cipher suites (KB3018238)
Effectively, the second update contains the changes to the cipher suite priority list in the registry for the new TLS cipher suites, previously part of the original update:
KB3018238 will install automatically and transparently together with security update KB2992611. It will appear separately in the list of installed updates.
An updated version of KB2992611 is available for systems running Windows Server 2008 R2 and Windows Server 2012. You can deploy this updated security update to scenarios where the previous update broke functionality (or you could manually edit the cipher suite priority list in the registry ). Do not implement KB3018238 in these scenarios, unless thoroughly tested.
When you don’t experience problems with this update, you may deploy the updated version of KB2992611 (and KB3018238) with lesser priority: There are currently no reports that the first version of the security update does not adequately patches the Secure Channel vulnerabilities.
Microsoft may re-add the cipher suites to the default priority list in a future release after the community has had an opportunity to make sure of correct execution in all customer scenarios.