On-premises Microsoft Identity-related updates and fixes for June 2019

Reading Time: 3 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for June 2019:

                   

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4509475 June 27, 2019

The June 27, 2019 update for Windows Server 2016 (KB4509475) updating the OS Build number to 14393.3056 does not include Identity-related fixes.

KB4503294 June 18, 2019

The June 18, 2019 update for Windows Server 2016 (KB4503294) updating the OS Build number to 14393.3053 includes the following Identity-related fixes:

  • It addresses an issue that returns an error when using certutil.exe to verify a certificate. The error is “Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)”.
  • It addresses an issue with using Data Protection Application Programming Interface NG (DPAPI-NG) or a group-protected Personal Information Exchange Format (PFX) file. Data you protected using one of these mechanisms on Windows 10, version 1607 and Windows Server 2016 or earlier cannot be decrypted using Windows 10, version 1703 or later.
  • It reinforces the Certificate Revocation List (CRL) on Internet Key Exchange version 2 (IKEv2) machines for certificate-based virtual private network (VPN) connections, such as Device Tunnel, in an Always On VPN deployment. 
  • It addresses high latency Active Directory Federation Services (AD FS) response times for globally distributed datacenters that may have SQL servers in remote datacenters. This improves the performance for all token requests coming to ADFS, which includes OAuth, Saml, Ws-Fed, and Ws-Trust.
  • It addresses an issue that may cause a Lightweight Directory Access Protocol (LDAP) paged search against a Windows 2016 Domain Controller to fail. The error message is “00000057: LdapErr: DSID-0C090AB0, comment: Error processing control, data 0, v3839.”

KB4503267 June 11, 2019

The June 11, 2019 update for Windows Server 2016 (KB4503267) updating the OS Build number to 14393.3025 includes mainly security fixes.

Aside from the four zero-days, Microsoft patched 11 remote code execution (RCE) bugs, three of which are rated critical. CVE-2019-0620 and CVE-2019-0722 are a Hyper-V bug that could let an attacker run arbitrary code on the host operating system by running specially designed code in a guest OS. CVE-2019-0888 is a vulnerability in the way ActiveX Data Objects (ADO) handle objects in memory and could allow an attacker to compromise a machine by convincing a user to visit a specially crafted website.

There are also 9 RCEs rated critical for Microsoft Edge and Chakra Core, all of which are either memory corruption bugs or problems with the way objects are handled in memory. Some of these vulnerabilities also affect Internet Explorer.

This update also includes one Identity-related fix:

  • It addresses an issue that may cause authentication to fail when using Windows Hello for Business on Windows Server 2016 with the Server Core option installed.

This updates also introduces an Identity-related known issue:

  • Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of this update on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

              

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4509479 June 26, 2019

The June 26, 2019 quality update for Windows Server 2019 (KB4509479) updating the OS Build number to 17763.593 doesn’t include Identity-related fixes.

KB4501371 June 18, 2019

The June 18, 2019 quality update for Windows Server 2019 (KB4501371) updating the OS Build number to 17763.592 includes one Identity-related fix:

  • It addresses an issue that triggers a Group Policy update even when there are no policy changes. This issue occurs when using the client-side extension (CSE) for folder redirection.

KB4503327 June 11, 2019

The June 11, 2019 quality update for Windows Server 2019 (KB4503327)updating the OS Build number to 17763.557

includes mainly security fixes.

Aside from the four zero-days, Microsoft patched 11 remote code execution (RCE) bugs, three of which are rated critical. CVE-2019-0620 and CVE-2019-0722 are a Hyper-V bug that could let an attacker run arbitrary code on the host operating system by running specially designed code in a guest OS. CVE-2019-0888 is a vulnerability in the way ActiveX Data Objects (ADO) handle objects in memory and could allow an attacker to compromise a machine by convincing a user to visit a specially crafted website.

There are also 9 RCEs rated critical for Microsoft Edge and Chakra Core, all of which are either memory corruption bugs or problems with the way objects are handled in memory. Some of these vulnerabilities also affect Internet Explorer.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.