[German]Microsoft released update KB4565524 for Windows Server 2008 R2 on July 14, 2020. Among other things, the update is intended to close the critical SIGRed vulnerability in the Windows DNS server. However, users report that the update installation fails with error code 0x80070661.
The SIGRed vulnerability
There has been a bug in the code of the Windows DNS server for 17 years that leads to a critical vulnerability. The worm exploitable vulnerability could be exploited to gain domain administrator privileges and compromise the entire underlying corporate infrastructure.
Affected are Windows Server 2003 up to the current Windows Server 2019. I had reported extensively about the SIGRed vulnerability in the article Critical update for SigRed Bug in Windows DNS Server. CISA warns US admins to patch the vulnerability quickly (see CISA warns admins: Patch the SIGRed Windows DNS Server vulnerability).Microsoft has released updates to close the vulnerability.
Update KB4565524 for Windows Server 2008 R2
Update KB4565524 is also available for Windows Server 2008 R2 It is not explicitly mentioned there, but besides several fixes this update fixes the SIGRed vulnerability. neben diversen Fixes schließt dieses Update die SIGRed-Schwachstelle.
Update KB4565524 not installable
In this comment, Brian Hampsonpoints out that the KB4565524 update cannot be installed on Windows Server 2008.
the July patch for 2008R2 won't apply. It reverts after install. 0x80070661 – wrong architecture.
Hampson points to this thread at reddit.com, where the problem is also explained. One affected person writes:
Anyone having issue installing the patch for the new CVE? windows 2008R2
So i installed the SSU for 2008R2 KB4562030
Rebooted even though it wasn't required
Then installed the KB4565524
Rebooted as asked and now it goes to Failure Windows update reverting update.
This happened on 3 different Windows 2008R2 machines
and strangely nothing in the WU logs or event viewer
Anyone got that issue?
So he does not get the update installed on Windows Server 2008 R2. The update might get the error code 0x80070661 – wrong architecture.
The cause: Missing ESU license
In this comment I have named the reason for the crude error message. Systems with Windows Server 2008 R2 that do not have an ESU license are excluded from the update installation. Without an ESU license all update installations will fail and a rollback will be initiated. The problem as far as I have found out: It was nearly impossible for customers without volume license subscriptions or E3 plans to get an ESU license – I don't know a solution yet.
The (unofficial) BypassESU solution used by some Windows 7 users is not an option for Windows Server 2008 R2 systems (imho, due to many collateral damages). My tip would be to have a look at the following blog post (Windows Server 2008 R2: 0patch fixes SIGRed vulnerability). It describes a solution from Acros Security that protects systems from vulnerabilities for little money even without an ESU license.
Critical update for SigRed Bug in Windows DNS Server
CISA warns admins: Patch the SIGRed Windows DNS Server vulnerability
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
Wow! Windows 7 get extended support until January 2023
Windows 7: Free Extended Update Support and usage
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs
Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2
Windows 7: ESU Activation inEnterprise Environment – Part 3
Windows 7: ESU questions and more answers – Part 4
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
Cookies helps to fund this blog: Cookie settings