MS13-066: Vulnerability in Active Directory Federation Services could allow information disclosure: August 13, 2013

<html><body><p>Resolves a vulnerability in Active Directory Federation Services (AD FS) that could reveal information that relates to the service account that is used by AD FS.</p><h2>INTRODUCTION</h2><div>Microsoft has released security bulletin MS13-066. To view the complete security bulletin, go to the following Microsoft website: <ul><li>IT professionals:<br /><div><a href=“http://technet.microsoft.com/security/bulletin/ms13-066” target=“_self”>http://technet.microsoft.com/security/bulletin/MS13-066</a></div></li></ul><h3>How to obtain help and support for this security update</h3>Help for installing updates: <a href=“https://support.microsoft.com/ph/6527” target=“_self”>Support for Microsoft Update</a><br /><br />Security solutions for IT professionals: <br /><a href=“http://technet.microsoft.com/security/bb980617.aspx” target=“_self”>TechNet Security Troubleshooting and Support</a><br /><br />Help protect your Windows-based computer from viruses and malware: <a href=“https://support.microsoft.com/contactus/cu_sc_virsec_master” target=“_self”>Virus Solution and Security Center</a><br /><br />Local support according to your country:<br /><a href=“https://support.microsoft.com/common/international.aspx” target=“_self”>International Support</a><br /><br /></div><h2>More Information</h2><div><span>Notes for computers running Windows Server 2012</span><ul><li>Computers running Windows Server 2012 will be offered security updates <a href=“https://support.microsoft.com/help/2843638” target=“_self”>2843638</a> and <a href=“https://support.microsoft.com/help/2843639” target=“_self”>2843639</a>. These packages are chain installed. </li><li>When the installation is complete, both updates <a href=“https://support.microsoft.com/help/2843638” target=“_self”>2843638</a> and <a href=“https://support.microsoft.com/help/2843639” target=“_self”>2843639</a> are listed in the list of installed updates. </li><li>Windows Update will not re-offer these security updates the previous versions are already installed. </li></ul><span>Notes for computers running Windows Server 2008 R2 and Windows Server 2008</span><ul><li>Computers running Windows Server 2008 R2 and Windows Server 2008 will only be offered security update <a href=“https://support.microsoft.com/help/2843638” target=“_self”>2843638</a>. This package includes the security updates that are included in <a href=“https://support.microsoft.com/help/2843638” target=“_self”>2843638</a> and <a href=“https://support.microsoft.com/help/2843639” target=“_self”>2843639</a>. Windows Update will not re-offer these security updates the previous versions are already installed.</li><li>When the installation is complete, only update <a href=“https://support.microsoft.com/help/2843638” target=“_self”>2843638</a> is listed in the list of installed updates. </li><li>A previous revision of this security update required that <a href=“https://support.microsoft.com/help/2790338” target=“_self”>http://support.microsoft.com/kb/2790338</a> be applied to avoid functionality issues with security update 2843639. This dependency is no longer required for computers running Windows Server 2008 R2 and Windows Server 2008. </li><li>Windows Update will re-offer security update <a href=“https://support.microsoft.com/help/2843638” target=“_self”>2843638</a> if the previous version of the security update is already installed. </li></ul><h3>Known issues and additional information about this security update</h3><ul><li>Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed.<br /><br />On August 19th 2013, Microsoft rereleased security update 2843638 to address this issue. Customers who already installed the original updates will be reoffered security update 2843638 and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates.</li></ul> <br /><br />The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link. <ul><li><div><a href=“https://support.microsoft.com/en-us/help/2868846”>2868846 </a> MS13-066: Description of the security update for Active Directory Federation Services 1.x: August 13, 2013</div><span>Note</span> After you install this security update, you must edit the Clientlogon.aspx page to add the text “autocomplete=off” for the <strong>Username</strong> and <strong>Password</strong> text boxes to manually complete the installation. <br /></li><li><div><a href=“https://support.microsoft.com/en-us/help/2843638”>2843638 </a> MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013</div><br /><br /><br />Known issues in security update 2843638:<br /><ul><li>Microsoft Knowledge Base article 2843638 describes several issues that are resolved by hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br /><div><a href=“https://support.microsoft.com/en-us/help/2896713”>2896713 </a> Update is available to fix several issues after you install security update 2843638 on an AD FS server</div></li></ul></li><li><div><a href=“https://support.microsoft.com/en-us/help/2843639”>2843639 </a> MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013</div><br /><br /><br /><br />Known issues in security update 2843639:<br /><ul><li>Knowledge Base article 2843639 describes several issues that are resolved by hotfix 2896713. For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br /><div><a href=“https://support.microsoft.com/en-us/help/2896713”>2896713 </a> Update is available to fix several issues after you install security update 2843638 on an AD FS server</div></li></ul><span>Note</span> After you install this security update, you must edit the FormsSignIn.aspx page to add the text “autocomplete=off” for the <strong>Username</strong> and <strong>Password</strong> text boxes to manually complete the installation. </li></ul></div><h2>FILE INFORMATION</h2><div><div><div><div><span><span></span></span><span><span>File hash information</span></span></div><div><span><div><div><table><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Windows6.0-KB2843638-v2-x64.msu</td><td>D3A586BF02B5FC2808875EC68D4E14B860B117C4</td><td>02211F7C344B464C6C1C92A7006BD8DA5E5639C81958CF46F09A4ED525C8027A</td></tr><tr><td>Windows6.0-KB2843638-v2-x86.msu</td><td>C813825E20E6E886BABC437A3D0CE0A5CC2DD5BE</td><td>48AC254EB9FD5B429C9445736DD44497B4F5B601E9A69DA900DAE5D3573F06DC</td></tr><tr><td>Windows6.1-KB2843638-v2-x64.msu</td><td>C4655030D421C21E4494E563B716D1235954725C</td><td>3B24E04827818B86A2E5165EC590F1F46B662FD70D592A01588D8E3A8E5F4953</td></tr><tr><td>Windows8-RT-KB2843638-x64.msu</td><td>65FFB163EE037D36B886A30E760BF88D7B9B58C8</td><td>37C6D712022EF49FEC81157BB2872E90E70E8CEA013FE7998AE3059989A80A02</td></tr><tr><td>Windows8-RT-KB2843639-x64.msu</td><td>C152CAD72560AFB3E79F67A82F64C2506599C4C9</td><td>1BA79E41913894306F63D603BA4223DB6FA0A4F79B95EC86926F8A6C45B2420F</td></tr><tr><td>Windows6.0-KB2843639-x64.msu</td><td>2C86E545DA59C459A2A006CE241F7A38DEB46E5C</td><td>3C5223B6A189732B0EAA6685194810EC0F26A01EBEBE3139C6EA0B9C94011B90</td></tr><tr><td>Windows6.0-KB2843639-x86.msu</td><td>6444E853E92A154CFBC991FDC68EFC71C5D3E16E</td><td>45367251175F24370469362CF160A83D3460EB067A198C15051E06A4844567C8</td></tr><tr><td>Windows6.0-KB2868846-x64.msu</td><td>0649EE6753F107310177CD1B253C2D8FB1E6E0D4</td><td>84B7EF75273FC98E257D32E78BDE583C7D60AEE13CD9CB97B2F27DD13FBC38BA</td></tr><tr><td>Windows6.0-KB2868846-x86.msu</td><td>DEB32C23142910D606C3E34167A1E47BDD6382A4</td><td>D31B15CAF04FF51A3744E0D93FBB7D6DF389093B8BB080465045981F7FD8CBB7</td></tr><tr><td>Windows6.1-KB2843639-x64.msu</td><td>97599B5D021362506463273C4041226A090E5823</td><td>5D106038D1B5EB72632377D9E32E00E522F1147B319A1C2C6690ABDEC5FB9D18</td></tr><tr><td>Windows6.1-KB2868846-x64.msu</td><td>4B8ADAD816C60809F37B212B52090B08844B23E2</td><td>4B3F06D2FEB7FBFEE4911A536371853A76EC69A0B307E54D5730754E9966004F</td></tr><tr><td>WindowsServer2003-KB2868846-x86-CHS.exe</td><td>95EEF588979F2A135D74197CF6A83724084BB48E</td><td>1B1DDC13F85A0AF04D94D547D6E717ECBE8D24C3A7606270C900D4117EEDB262</td></tr><tr><td>WindowsServer2003-KB2868846-x86-CHT.exe</td><td>0BE9C094FD4D29F113071FCF5C5A5E8A67C3221C</td><td>A4419A1282711F99209D6DC2B7920C3908782E5F6943DD8026BC1EA8163C6F17</td></tr><tr><td>WindowsServer2003-KB2868846-x86-CSY.exe</td><td>E2DFC912637C97FC89AD84C578EA89F3C1D55AF2</td><td>F96071696229C90AC48C6A3A2CB402DC17F6826FF1C33AE217F3FA040B6DE83B</td></tr><tr><td>WindowsServer2003-KB2868846-x86-DEU.exe</td><td>A9B9B1157B04B5E9A627B7A98CFA8751F1F6E294</td><td>ECBF5B35762034F3801A8DC81CB5BB91E544EB3A0462412ABC0835A9FF3C0964</td></tr><tr><td>WindowsServer2003-KB2868846-x86-ENU.exe</td><td>D346335422493DD5FF731FDC6C84F94CDD5F1DBA</td><td>81A78348D3C4A82FCCABB6C43C645A0BD10676D86C2E76456B7CBACA422FDFCD</td></tr><tr><td>WindowsServer2003-KB2868846-x86-ESN.exe</td><td>9B974FB395BC4487C19CF6181C0B5D8004E8913B</td><td>18E401AF4171B25E3C3DC9C906E68232B28D7B01B351452B8852295146E0562D</td></tr><tr><td>WindowsServer2003-KB2868846-x86-FRA.exe</td><td>80435451766990544B54F2D2FF484F7782B027EE</td><td>30C4061FCE8A5DE97B17A0306F665354072CE9CB17CC7AC40265AF3A1D6BACF2</td></tr><tr><td>WindowsServer2003-KB2868846-x86-HUN.exe</td><td>B91BCB4F63FBCDB45B284A0A3563CFF19C72DAA7</td><td>CE51D5530650F2171F38BABD7FA992E6110C0C5C296022BFC229A669013692D0</td></tr><tr><td>WindowsServer2003-KB2868846-x86-ITA.exe</td><td>F7187B9B16F52BD40F837F798F576E631A8C22AD</td><td>83EAD59D8AFF57F27695551665043298C3A9DA66F77423AF64D63A2A1A135E96</td></tr><tr><td>WindowsServer2003-KB2868846-x86-JPN.exe</td><td>5B609F02F40DE558786D3607DA19922ABBF76685</td><td>6170609F9808DBDD50F9BD59AE0F3695D76C31196E293CE26FAAD65C001A1E88</td></tr><tr><td>WindowsServer2003-KB2868846-x86-KOR.exe</td><td>7706F55A53F40BFE3900CF3F501DB8AFE018A012</td><td>987491A123F6544ABD1EAF26D856523F698249339574ACABFD08F59BBE8B6FD5</td></tr><tr><td>WindowsServer2003-KB2868846-x86-NLD.exe</td><td>6EADB2A052183EB73E64C25B29F04BB673174355</td><td>852880C1DB58C3750FA059AE836991F6D7F64F1C708E1A56B09CD1594BF12B2E</td></tr><tr><td>WindowsServer2003-KB2868846-x86-PLK.exe</td><td>037D82DC4F9717D544AA855F6AD29E8D5ABF3568</td><td>639160A6E0FC0DC44BAB55AF14A649C3D3D29BAEB4FCE8441E9A747B878D94C6</td></tr><tr><td>WindowsServer2003-KB2868846-x86-PTB.exe</td><td>3E01A0090C714AFA353BFE86F208B519A5C5E4D9</td><td>34F207BF3A535E83599B3FDA620B23B90C71678211CB98AC26B36A2197F6473F</td></tr><tr><td>WindowsServer2003-KB2868846-x86-PTG.exe</td><td>B357EFCB2032924093B943CF6C4FB23F83AF98D4</td><td>2D3F9E8BF1EF4863277419A9E499DFDE857F6E4B5B315A224DA13343EE1CCFB1</td></tr><tr><td>WindowsServer2003-KB2868846-x86-RUS.exe</td><td>B31FC8EBC674F266212140AC79C2785B7770517B</td><td>F5D2102E95431A25D3ADF8552B7A4DFF864335D4FEA49EBADC440C02FF412D77</td></tr><tr><td>WindowsServer2003-KB2868846-x86-SVE.exe</td><td>47A7E1601E9ACE9605314510974C990425027438</td><td>3453855F909B8DDFF70B8D706575B5D4E9A732628E0F4E5E8ADFB3DFD9B8534A</td></tr><tr><td>WindowsServer2003-KB2868846-x86-TRK.exe</td><td>03617877880564F726D7830895CFAA0AE5970D34</td><td>E93F0BD730376BB0D0B230C79D303A4BE3ED74D98F1A461A64238C7BD11917F6</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-CHS.exe</td><td>07CF3A347257350C86B20C2A21F90CB157698399</td><td>31D48EE607F73D7DDE16689644F4E6A8F0BD8BEAF81B775F2158FEAD273F57A2</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-CHT.exe</td><td>B2AEB2761358B5281FB640A0A3D358093F96F730</td><td>89B85DE692222A7C8915773BC32247841CA4B2EC36113029EAA029963F207E60</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-DEU.exe</td><td>C15EC484FF4935C067B7EBC6241B2CD329D50D62</td><td>808A43B690C511570D4BC1EC94CDEC6C1F30A1C6B8644037E1A7F67B63260711</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-ENU.exe</td><td>8DE25AA79AEA3D5B34F5BD74CF5605AD501EED4D</td><td>3482FE13CFB748821C54BD77B4799BA9F84F1B959E0E7EA7571FDC083CF3EC9B</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-ESN.exe</td><td>809CD91ABDADA30553EAAFB563E3B42EBCFB318B</td><td>52B249F0F67C580A4706D6318E52DFADA1C59B8EE17A8BD39CFD044E41135C56</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-FRA.exe</td><td>F05322670D9027BE40DEC980A01F5505C1F8B1D0</td><td>47088F0AAF9D4C123C6B66C7F67439E39B1B01D13319346231C53B321FCBB410</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-ITA.exe</td><td>5B4741C99CC685720AED070DBAD7E6AD2883A279</td><td>F137D2203AFDDB7434CF506961A9C3D0AA4E45E20F9DF0600EE76ABD979A145A</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-JPN.exe</td><td>94F6FA934103C5EC0D3BE0339C8D8CD3B7BB1A35</td><td>620BA8FE023816744902FEC6BE90340D7314473555351B9BCB7BF299AF72CAA1</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-KOR.exe</td><td>861A14C9F2409725565D56D13B2221E7B89C47D9</td><td>97AFA138A6E7A9882E8490EEDDA77C270A331F2B6DC24FF3DFD3CC97F773744C</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-PTB.exe</td><td>5827ADDBFAB253A1BC25E6F2FAC437C29EB753B3</td><td>EDAE47112C668FC2AB8726C8077F559A1701E7509F873A6FDE0815B762B45D39</td></tr><tr><td>WindowsServer2003.WindowsXP-KB2868846-x64-RUS.exe</td><td>763F64994DC3AB69453806C63D18D229B1163097</td><td>3C4D2DCEB674C698583E19324488F0401089516A54E9810BABEA7D6DD5EA7490</td></tr></table></div></div><br /></span></div></div></div></div></body></html>