Microsoft Security Advisory 3045755

Published: April 14, 2015

Version: 1.0

Microsoft is announcing the availability of a defense-in-depth update that improves the authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.

The update released on April 15, 2015:

• Microsoft released an update (3045755) for all supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update is available on the Download Center as well as the Microsoft Update Catalog for all affected software. It is also offered via automatic updating and through the Microsoft Update service. For more information, see Microsoft Knowledge Base Article 3045755. Synopsis of functionality added by the update  The update improves certain authentication scenarios for PKU2U. After applying this defense-in-depth update, PKU2U will no longer authenticate to a Windows Live ID (WLID) if an initial authentication attempt fails.

This advisory discusses the following software.

What is the scope of the advisory? 
The purpose of this advisory is to notify customers that a defense-in-depth update is available that improves the authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.

What is defense-in-depth? 
In information security, defense-in-depth refers to an approach in which multiple layers of defense are in place to help prevent attackers from compromising the security of a network or system.

What is PKU2U?
Public Key Cryptography User-to-User (PKU2U) is a security support provider (SSP) protocol that enables peer-to-peer authentication, particularly through the Windows media- and file-sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain.

What does the update do?
The update improves certain authentication scenarios for PKU2U. After applying this defense-in-depth update, PKU2U will no longer authenticate to a Windows Live ID (WLID) if an initial authentication attempt fails.

Microsoft thanks the following for working with us to help protect customers:

• Jerry Decime, Hewlett Packard, for working with us on this issue

• You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

• Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
• International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
• Microsoft TechNet Security provides additional information about security in Microsoft products.

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

• V1.0 (April 14, 2015): Advisory published.

Page generated 2015-04-13 14:48Z-07:00.