Microsoft Security Advisory 3045755

Update to Improve PKU2U Authentication

Published: April 14, 2015

Version: 1.0

Microsoft is announcing the availability of a defense-in-depth update that improves the authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.

The update released on April 15, 2015:

  • Microsoft released an update (3045755) for all supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update is available on the Download Center as well as the Microsoft Update Catalog for all affected software. It is also offered via automatic updating and through the Microsoft Update service. For more information, see Microsoft Knowledge Base Article 3045755.

    Synopsis of functionality added by the update 
    The update improves certain authentication scenarios for PKU2U. After applying this defense-in-depth update, PKU2U will no longer authenticate to a Windows Live ID (WLID) if an initial authentication attempt fails.

This advisory discusses the following software.

Operating System

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012 R2

Windows RT 8.1

Server Core installation option

Windows Server 2012 R2 (Server Core installation)

What is the scope of the advisory? 
The purpose of this advisory is to notify customers that a defense-in-depth update is available that improves the authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.

What is defense-in-depth? 
In information security, defense-in-depth refers to an approach in which multiple layers of defense are in place to help prevent attackers from compromising the security of a network or system.

What is PKU2U? 
Public Key Cryptography User-to-User (PKU2U) is a security support provider (SSP) protocol that enables peer-to-peer authentication, particularly through the Windows media- and file-sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain.

What does the update do? 
The update improves certain authentication scenarios for PKU2U. After applying this defense-in-depth update, PKU2U will no longer authenticate to a Windows Live ID (WLID) if an initial authentication attempt fails.

Microsoft thanks the following for working with us to help protect customers:

  • Jerry Decime, Hewlett Packard, for working with us on this issue

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (April 14, 2015): Advisory published.

Page generated 2015-04-13 14:48Z-07:00.
Show: