On the occasion of the first Patch Tuesday of the year 2021, Microsoft has released a Windows 7 security update, KB4598279. This operating system has been discontinued since January 2020.
This maintenance is not intended for all users. It only applies to PCs enrolled in the paid Extended Security Update (ESU) program. It concerns businesses.
The update in question is KB4598279. It fixes flaws affecting Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, Windows Virtualization and Windows Hybrid Storage Services. At the same time, we have a fix for a vulnerability around the RPC (Printer Remote Procedure Call) connection and authentication for the remote Winspool interface.
Added to all this is the resolution of a concern affecting an MIT domain. On this subject the giant explains
“The issue is preventing a trusted Managed Identily for Application (MIT) domain from obtaining a Kerberos service ticket from an active Directory domain controllers (DCs). This problem occurs after installing Windows updates that contain the protections CVE-2020-17049 issued between November 10 and December 8, 2020 and setting on 1 or more of PerfromTicketSignature. ”
All the details on all of these fixes are available at the end of the article. However, this update is not perfect. It comes with two problems. The first is known, it comes from previous updates. It caused an error while installing the update on a device that is not enrolled in ESU programs. Microsoft specifies
“After you install this update and restart your device, you may receive the error, ‘Failed to configure Windows updates. Cancellation of changes. Do not turn off your computer ”, and the update may show as failed in the update history. “
Windows 7 and KB4598279 release note
- Addresses a security bypass vulnerability that exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. For more information, see KB4599464.
- Addresses a security vulnerability issue with HTTPS-based intranet servers. After you install this update, HTTPS-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy.
If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy Allow user proxy to be used as a fallback if detection using system proxy fails. To make sure that the highest levels of security, additionally leverage Windows Server Update Services (WSUS) Transport Layer Security (TLS) certificate pinning on all devices. For more information, see Changes to scans, improved security for Windows devices.
Note This change does not affect customers who use HTTP WSUS servers.
- Addresses an issue in which a principal in a trusted Managed Identity for Application (MIT) realm does not obtain a Kerberos Service ticket from Active Directory domain controllers (DCs). This issue occurs after Windows Updates that contains CVE-2020-17049 protections released between November 10 and December 8, 2020 are installed and PerfromTicketSignature is configured to 1 or higher. Ticket acquisition fails with KRB_GENERIC_ERROR if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
- Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, Windows Virtualization, and Windows Hybrid Storage Services.