KB5016684 Security Update for Windows Server 2012 – August 9 2022

KB5016684 is a security only update for Windows Server 2012. The update was released on 9th August 2022. Since this is a security only update, the update is not cumulative in nature. We look at the key aspects of KB5016684 for Windows Server 2012. KB5016684 is also available for Windows Server 2012 Server Core Installation.

KB5017377 is the latest security only update for Windows Server 2012 that has been released on 13th September 2022. You can read more about it on the KB5017377 page.

Salient points about KB5016684 for Windows Server 2012

  • KB5016684 is a security-only update for Windows Server 2012. It is a standalone update and is not cumulative in nature.
  • Before installing KB5016684 on Windows Server 2012, you will need to ensure that all the previous security-only updates are installed on the server.
  • KB5016684 resolves the zero-day vulnerability CVE-2022-34713 that affects Windows Server 2012.
  • Servicing Stack Update KB5016263 for Windows Server 2012 will need to be deployed prior to installing KB5016684 on the server.
  • KB5016618 is the latest cumulative update for Internet Explorer. You need to install this prior to installing KB5016684 on Windows Server 2012.
  • The MSU update file for KB5016684 for Windows Server 2012 is 26.2 MB.
  • KB5016672 is the monthly rollup update for Windows Server 2012 that includes all the security changes brought about as part of the KB5016684. Patching Windows Server 2012 with KB5016684 or KB5016672 will patch the server against vulnerabilities reported in the August security bulletin of Microsoft.

Prerequisites for installing KB5016684 on Windows Server 2012

Since KB5016684 is a security only update for Windows Server 2012, we need to ensure the following before deploying KB5016684:

  • All the previous security only updates for Windows Server 2012 need to be deployed before installing KB5016684 on the server. The last security update for Windows Server 2012 is KB5015875. Therefore, before installing KB5016684, we need to make sure that KB5015875 is on Windows Server 2012. Alternatively, you could ensure that the monthly rollup update KB5015863 for July 2022 is on the Windows Server 2012.
  • Servicing Stack Update KB5016263 needs to be deployed on Windows Server 2012 before deploying KB5016684 update. The size of this SSU update is 9.8 MB. No server reboot is needed post deployment of KB5016263 on Windows Server 2012.
  • The latest cumulative update for Internet explorer needs to be installed on Windows Server 2012 prior to deployment of KB5016684 on the server. KB5016618 is the cumulative update for Internet Explorer.

Once these prerequisites are taken care of, you can proceed with installing KB5016684 on Windows Server 2012.

KB5015875 Security Update for Windows Server 2012 – July 2022

read more about the July month security update for Windows Server 2012 and Windows Server 2012 Server Core Installation.

Vulnerabilities that affect Windows Server 2012 and resolved in KB5016684

Over 120 vulnerabilities across different operating system versions and application software have been reported by Microsoft as part of the August 2022 security bulletin of Microsoft. We focus only on the zero-day threats and the vulnerabilities that are more likely to be exploited.

CVE-2022-34713 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability – This vulnerability has a CVSS score of 7.8. It is fixed in KB5016683 for Windows Server 2012 and Windows Server 2012 Server Core installation.

CVE-2022-35793 – Windows Print Spooler Elevation of Privilege Vulnerability – This has a CVSS rating of 7.3. An attacker could gain SYSTEM privileges through the print spooler service. It is suggested that the print spooler service may be disabled to prevent this threat from being exploited by an attacker.

CVE-2022-35756 – Windows Kerberos Elevation of Privilege Vulnerability. The vulnerability has a CVSS rating of 7.8 and can lead to an attacker assuming domain administrator rights.

CVE-2022-35751 – Windows Hyper-V Elevation of Privilege Vulnerability – This vulnerability has a CVSS score of 7.8. An attacker could use Hyper V Guest to target Hyper V host and gain SYSTEM privileges.

CVE-2022-35750 – Win32k Elevation of Privilege Vulnerability – This is a CVSS 7.8 rated vulnerability that can be used by an attacker to gain SYSTEM privileges. It affects Windows Server 2012 and Windows Server 2012 Server Core.

As mentioned above, all these vulnerabilities affect Windows Server 2012 and Windows Server 2012 Server Core Installation.

How can I deploy KB5016684 on Windows Server 2012?

Windows Server 2012 is in extended support plan. Therefore, you will not be able to use Windows Update or Microsoft Update for Business to apply KB5016684 on Windows Server 2012. You can apply the security update KB5016684 through one of the following methods:

  • WSUS or Windows Server Update Service can be used to import the security update for product category of Windows Server 2012.
  • KB5016684 can be applied manually through Microsoft Update Catalog. The MSU update file can be downloaded from the Microsoft Update Catalog page for KB5016684. The size of the MSU update file is 26.2 MB. The server will need a reboot post-deployment of KB5016684 on Windows Server 2012.

What improvements are included in KB5016684 for Windows Server 2012?

The following improvements have been made a part of KB5016684 security only update for Windows Server 2012:

  • Addresses an issue in which Speech and Network troubleshooters will not start.
  • Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
  • Enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, Active Directory domain controllers will not authenticate them.

Summary

KB5016684 security-only update for Windows Server 2012 and Windows Server 2012 Server Core Installation contains security improvements for the server. Zero-day vulnerability CVE-2022-34713 is patched as part of KB5016684. Before deploying KB5016684 on Windows Server 2012, you will need to install KB5016263 SSU and KB5016618 cumulative update for Internet Explorer.

Other ‘Patch Tuesday’ cumulative updates for the month of August 2022: