KB5016683 Security Update for Windows Server 2012 R2

KB5016683 is the security-only update for Windows Server 2012 R2. It was released as part of the August month’s ‘Patch Tuesday’ project by Microsoft on 9th August 2022. Since this is a security-only update, it only contains security improvements and fixes for the Windows Server 2012 R2. We look at the key aspects of KB5016683 for Windows Server 2012 R2 below.

KB5017365 is the security-only update for Windows Server 2012 R2 for the month of September 2022. You can read more about it on the KB5017365 page.

KB5017367 is the monthly rollup update for Windows Server 2012 R2 for the month of September 2022. You can read more about it on the KB5017367 page.

Salient points about KB5016683 for Windows Server 2012 R2

  • KB5016683 is the security-only update for Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation. It is not cumulative in nature.
  • Before deploying KB5016683 on Windows Server 2012 R2, you need to ensure that all the previous security updates for the server are already deployed. This is because security-only updates are standalone updates.
  • The monthly rollup update for Windows Server 2012 R2 for August is KB5016681.
  • Servicing Stack Update KB5016264 needs to be deployed prior to installing KB5016683 on Windows Server 2012 R2.
  • Zero-day vulnerability CVE-2022-34713 affects Windows Server 2012 R2. It is resolved in KB5016683 security only update for Windows Server 2012 R2.
  • For x64 systems, the MSU update file for KB5016683 is 37.5 MB in size. On a similar note, x64 update file for Windows 8.1 is 37.5 MB. The x86 update file for Windows 8.1 is 27.1 MB in size.
  • There are other security threats that affect Windows Server 2012 R2. These are listed in the vulnerabilities section below.

As mentioned above, KB5016683 is security update for Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation.

Prerequisites for installing KB5016683 on Windows Server 2012 R2

There are a couple of dependencies for installing KB5016683 on Windows Server 2012 R2:

  • All the previous security updates for Windows Server 2012 R2 must already be installed on the server. In other words, your Windows Server 2012 R2 ought to have been patched with the last security update KB5015877. It was released on 12th July as part of the July month’s ‘Patch Tuesday’ project.
  • Servicing Stack Update KB5016264 is required to be deployed prior to installing KB5016683 on Windows Server 2012 R2. SSU is offered automatically as part of automatic update process. Or, you could apply KB5016264 manually as per details in the deployment section below.
  • The size of the KB5016264 SSU update file is 10.8 MB only. Upon deployment, the SSU KB5016264 does not require a server restart or reboot.

If you have these two aspects covered, you can deploy KB5016683 on Windows Server 2012 R2 or Windows Server 2012 R2 Server Core installation.

Vulnerabilities on Windows Server 2012 R2

August month’s security bulletin contains over 120 vulnerabilities that affect multiple Microsoft server and desktop operating systems. For our study, we focus on those vulnerabilities that are zero-day threats or the ones that carry enhanced risks for the target machines.

CVE-2022-34713 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability – This vulnerability has a CVSS score of 7.8. It is fixed in KB5016683 for Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation.

CVE-2022-35793 – Windows Print Spooler Elevation of Privilege Vulnerability – This has a CVSS rating of 7.3. An attacker could gain SYSTEM privileges through the print spooler service. It is suggested that the print spooler service may be disabled to prevent this threat from being exploited by an attacker.

CVE-2022-35756 – Windows Kerberos Elevation of Privilege Vulnerability. The vulnerability has a CVSS rating of 7.8 and can lead to an attacker assuming domain administrator rights.

CVE-2022-35755 – Windows Print Spooler Elevation of Privilege Vulnerability – This vulnerability has a CVSS rating of 7.3. Windows Print Spooler service can be exploited to gain SYSTEM privileges. Disabling the print spooler service is the suggested workaround.

CVE-2022-35751 – Windows Hyper-V Elevation of Privilege Vulnerability – This vulnerability has a CVSS score of 7.8. An attacker could use Hyper V Guest to target Hyper V host and gain SYSTEM privileges.

CVE-2022-35750 – Win32k Elevation of Privilege Vulnerability – This is a CVSS 7.8 rated vulnerability that can be used by an attacker to gain SYSTEM privileges. It affects Windows Server 2012 R2 and Windows Server 2012 R2 Server Core.

KB5015877 Security Update for Windows Server 2012 R2 for July 2022

Read about July month’s security update for Windows Server 2012 R2.

How can I deploy KB5016683 on Windows Server 2012 R2?

KB5016683 is a security-only update. It has limited channels for deployment.

  • KB5016683 cannot be patched through Windows Update.
  • KB5016683 cannot be patched through Microsoft Update for Business.
  • If you have a valid extended support, you can use WSUS or Windows Server Update Service to install KB5016683 on the Windows Server 2012 R2 or Windows Server 2012 R2 Server Core installation.
  • You can download the MSU update file for KB5016683 from Microsoft Update Catalog. The MSU update file for x64 systems in 37.5 MB in size.

If you intend to install KB5016683 manually, please do deploy KB5016264 Servicing Stack Update as part of the update process.

Improvements in KB5016683 for Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation

  • Addresses an issue in which Speech and Network troubleshooters will not start.
  • Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later.
  • Enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, Active Directory domain controllers will not authenticate them. Mitigations that allowed non-compliant devices to authenticate will not exist after August 9, 2022. 

Summary

KB5016683 for Windows Server 2012 R2 resolves zero-day CVE-2022-34713. Apart from that, this update also resolved the LSASS issues that were caused post installation of June security updates. KB5016264 is the Servicing Stack Update that goes with the KB5016683 security update for Windows Server 2012 R2 and Windows Server 2012 R2 Server Core Installation.

Other August Patch Tuesday updates by Microsoft: