KB5039266 for Windows Server 2008 Service Pack 2

KB5039266 is a security only update for Windows Server 2008 Service Pack 2 for x86 and x64 deployments. It was released on 11 June 2024 under the ‘Patch Tuesday’ program. To access the security update, you will require a valid ESU key.

KB5039266 is available for the following versions of Windows Server 2008:

  • Windows Server 2008 Datacenter ESU 
  • Windows Server 2008 Standard ESU 
  • Windows Server 2008 Enterprise ESU 
  • KB5039266 is non-cumulative. For full security coverage, you will need to install all the previous security updates.
  • KB5039341 is the Servicing Stack Update that corresponds to KB5039266. For automated updates, the SSU will be automatically installed as part of the installation of the security update. For manual updates, you will require to download and install the offline installer file for the SSU.
  • You will need to use the x86 or x64 versions of offline installer files for the KB5039341 and KB5039266.
  • 15 security vulnerabilities affect Windows Server 2008 Service Pack 2 for x86 and x64 systems.
  • CVE-2024-30080 is a CRITICAL vulnerability affecting Windows Server 2008 Service Pack 2. It is a CVSS 9.8 secuirty vulnerability affecting the Microsoft Message Queuing service.

You need valid ESU keys to apply KB5039266 on the Windows Server 2008 Service Pack 2 installations on x86 or x64 systems.

You could install KB5039266 automatically using one of the following methods:

  • Windows Update
  • WSUS or Windows Server Update Services

The SSU and the main security update will be automatically installed as part of the update process.

For manual updates, you need to follow a two-step process:

  • Download and install the Servicing Stack Update KB5039341
  • Download and install the security update KB5039266

We have shared links for the Microsoft Update Catalog for the SSU and the security update below:

The Servicing Stack Update will need to be installed before installing KB5039266 (recommended). The SSU will not cause a server reboot. The security update will result in a server reboot.

15 security vulnerabilities affect Windows Server 2008 Service Pack 2. Out of this, we are concerned with the CVE-2024-30080 vulnerability.

CVE-2024-30080 is a CRITICAL ‘Remote Code Execution’ vulnerability.

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. To determine if your system is susceptible, check to see if the MSMQ HTTP-Support feature is enabled and if there is a service running named Message Queuing on the machine.

To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in a rapid sequence over HTTP to a MSMQ server. This could result in remote code execution on the server side.

The following changes are part of the KB5039266 security update:

  • This update resolves security issues in Windows Server 2008 Service Pack 2
  • A memory leak might occur in the Local Security Authority Subsystem Service (LSASS) during a Local Security Authority remote procedure call (LSARPC).
  • The Local Security Authority Subsystem Service (LSASS) might crash after the April 9, 2024 security update (KB5036950) is installed.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.