We reported previously that many of our users and many people posting to forums across the web were seeing problems caused by last week’s patch for a serious SChannel vulnerability, MS-066 (KB2992611). It turns out the problem was caused not by the actual vulnerability fix, but by the new ciphers that were added to the Transport Layer Security (TLS) implementation by the patch.
Try premium business software for FREE for 30 days!
The most essential tool for sysadmins:
- Automate multiple OS patching
- Scan for vulnerabilities
- Audit hardware and software
- Run compliance reports
Discover, manage and secure your network
- Monitor & control web activity
- Manage bandwidth & internet usage
- Secure downloads & web browsing
- Control of applications & stronger policy
The problems were manifesting on Windows Server computers running Windows Server 2008 R2 and Server 2012 with TLS 1.2 enabled by default. Windows client machines appear to have been unaffected, and not all computers running the server operating systems were hit with the problems, which included dropped TLS sessions and unresponsive computers as well as “fatal event” errors in the System event log.
Microsoft issued a workaround for the problem, which involves deleted four ciphers that were added, but also recommended uninstalling the update if you were affected by the problems. Now the company has released the update for the affected operating systems. A secondary update was released that removes the four ciphers from the default cipher suite priority list in the registry. This doesn’t impact the security fix for the vulnerability.
The new update package is KB3018238, which will install with KB2992611 when it is reinstalled. The new version will be offered by auto update on Windows Server 2008 R2 and 2012 even though you already have the first update by that number installed.
For more information, see the new version of KB article 2992611.