[German]Just a brief addendum to the August 14, 2018 patchday: Updates KB4343205 and KB4343900 blocks Single sign-on (SSO) and causes trouble even with terminal servers.
Advertising
A comment within my German blog
The information can already be found implicitly in the form of a comment from blog reader doc within my German blog. He wrote (I translated the comment):
KB4343205 & KB4343900 causes that SSO applications and the use of our proxy via terminal servers no longer work (cleanly).
A workaround would be to disable the "protected mode" on IE, but this should generally be avoided…
The abbreviation SSO stands here for Single sign-on. As it seems to affect a lot of users, I decided to wrote a separate blog post covering the details.
Found more hits within the Internet
Searching the Internet for KB4343205 and SSO will result in several hits. At reddit.com I found this thread, where a user described the problem and referenced a forum thread in Technet. It was this thread in Technet-Forum, I previously found. Within this thread a user wrote.
We use Okta in our environment (Windows 7) for SSO. After Windows updates ran this week, SSO no longer works in Internet Explorer. It still works perfectly in Chrome and Firefox. I've already contacted Okta and we've been able to prove that it is not an issue on their end.
We've tried the usual fixes…deleting browser history, ensuring that our local intranet sites are set properly, making sure that TLS 1.2 is enabled.
Other users in the thread also confirm the problem. Uninstalling updates KB4343205 and KB4343900 is described there as a solution. The above-mentioned deactivation of the protected mode in IE is specified as the workaround. However, this is undesirable for security reasons.
What are KB4343205 and KB4343900 updates for?
I've addressed update KB4343205 within my blog post Microsoft Patchday: Other Updates (August 14, 2018). This is the cumulative security update for Internet Explorer for Windows 7 to Windows 10 and the server counterparts. This security update fixes several reported vulnerabilities in Internet Explorer.
Advertising
The biggest of these vulnerabilities could allow remote code execution if a user views a specially crafted Web page in Internet Explorer. These vulnerabilities are probably already being exploited. Microsoft has now added a hint of a known problem in the KB article.
In Internet Explorer 11, a blank page may appear for some redirects. Additionally, if you open a site that uses Active Directory Federation Services (AD FS) or Single sign-on (SSO), the site may be unresponsive.
Update KB44343900 has been addressed within my blog post Patchday: Updates for Windows 7/8.1/Server (August 14, 2018). It is the Monthly Update Rollup for Windows 7 Service Pack 1 and for Windows Server 2008 R2 Service Pack 1, which is an update to close several variants of Spectre vulnerabilities, but also includes patches for Internet Explorer. Microsoft has also added a reference to the known problem (see above) in the KB article. .
A workaround for the issue
The above mentioned deactivation of the protected mode in IE is undesirable as a workaround for security reasons. A better solution is outlined in the Technet forum thread linked above and on reddit.com. An affected user wrote:
Found a workaround for this. If you turn off protected mode, it fixes the issue. I don't want to turn protect mode off (and i dont suggest you do that) but "trusted zone" has protected mode off by default. This means if you add the sites (your SSO sites and all the redirects) to the trusted zone, it will resolve the issue. I pushed this out through group policy.
Maybe this will help some blog readers who don't know this yet.
Similar articles:
Security update for Adobe Acrobat/Reader
Microsoft Office Patchday (August 7, 2018)
Windows 10 Updates KB4295110/KB4023057 (08/09/2018)
Microsoft Security Update Summary August 14, 2018
Patchday Windows 10-Updates (August 14, 2018)
Patchday: Updates for Windows 7/8.1/Server (August 14, 2018)
Patchday Microsoft Office Updates (August 14, 2018)
Microsoft Patchday: Other Updates (August 14, 2018)
Windows 10 V1709/1803: Issues (also August Patchday)
August patchday: Confusion over SQL Server 2014 SP2
Advertising
KB4343894 is the fix for the IE problem above