Patchday: Updates for Windows 7/Server 2008 R2 (March 9, 2021)

Windows Update[German]On March 9, 2021, Microsoft has released various (security) updates for Windows 7 SP1 (ESU) and Windows Server 2008 R2. Here is an overview of these updates – somewhat delayed due to the printer issue.


Advertising

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1 a rollup and a security-only update have been released. However, these updates are only available for systems with ESU license (2nd year). The update history for Windows 7 can be found on this Microsoft page

Starting January 15, 2020, Windows 7 in Starter, Home Basic, Home Premium, Professional (without ESU license) and Ultimate will show a full-screen end-of-support notification. This must then be closed by the user.

As of Jan. 14, 2020, Windows 7 SP1 and Windows Server 2008 R2 SP1 have reached the end of support and will only receive paid security updates in the future as part of the ESU program. For ESU license holders, it is recommended to take a look at the Windows Message Center to find out about the details. In the KB article there are hints what to consider (ESU license for the 2nd year etc.). 

Since the updates are offered in the Microsoft Update Catalog, don’t try to install them on systems without an ESU license first. The installation fails and a rollback occurs. What does work, however: Using the BypassESU methods. ByPassESU v11 should continue to work for the January 2021 patches (see Windows 7 SP1/Server 2008/R2: Extended Support 2021 – Part 2).

Important: Starting in July 2020, all Windows updates disable the RemoteFX vGPU feature due to the CVE-2020-1036 vulnerability (see also KB4570006). After installing this update, attempts to start virtual machines (VM) that have RemoteFX vGPU enabled fail.

Finally, one more note. There are problems with the March 2021 security updates for Windows when printing, whereupon the updates were stopped. Currently I have no overview whether the updates will be rolled out again via Windows Update – so check yourself.

KB5000841 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB5000841 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains (besides the security fixes from the previous month) improvements and bug fixes and addresses the following items:

  • Addresses an elevation of privilege security vulnerability documented in CVE-2021-1640 related to print jobs submitted to “FILE:” ports. After installing Windows updates from March 9, 2021 and later, print jobs that are in a pending state before restarting the print spooler service or restarting the OS will remain in an error state. Manually delete the affected print jobs and resubmit them to the print queue when the print spooler service is online.

  • Addresses an issue in which a non-native device that is in the same realm does not receive a Kerberos Service ticket from Active Directory DCs. This issue occurs even though Windows Updates are installed that contain CVE-2020-17049 protections released between November 10 and December 8, 2020 and configured PerfromTicketSignature to 1 or larger. Ticket acquisition fails with KRB_GENERIC_ERROR if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without the USER_NO_AUTH_DATA_REQUIRED flag being set for the user in User Account Controls.


    Advertising

  • Security updates to Windows Fundamentals, Windows Shell, Windows UAC, Windows Hybrid Cloud Networking, and Windows Media.

Details about the fixed vulnerabilities can be found on this page. This update is automatically downloaded and installed via Windows Update. The package is also available via Microsoft Update Catalog and is distributed via WSUS. Details about the requirements and known issues can be found in the KB article

KB5000851 (Security Only) for Windows 7/Windows Server 2008 R2

Update KB5000851 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 with ESU license. The update addresses the following issues.

  • Addresses an issue in which a non-native device that is in the same realm does not receive a Kerberos Service ticket from Active Directory DCs. This issue occurs even though Windows Updates are installed that contain CVE-2020-17049 protections released between November 10 and December 8, 2020 and configured PerfromTicketSignature to 1 or larger. Ticket acquisition fails with KRB_GENERIC_ERROR if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without the USER_NO_AUTH_DATA_REQUIRED flag being set for the user in User Account Controls.

  • Security updates to Windows Fundamentals, Windows Shell, Windows UAC, Windows Hybrid Cloud Networking, and Windows Media.

The update is available via WSUS or in the Microsoft Update Catalog. To install the update, you must meet the prerequisites listed in the KB article and in the rollup update above. The update has the errors described in the KB article. Furthermore, the cumulative security update KB5000800 for Internet Explorer 11 should be installed. This is because a vulnerability is probably being actively exploited there.

Similar articles:
Microsoft Office Patchday (March 2, 2021)
Microsoft Security Update Summary (March 9, 2021)
Patchday: Windows 10-Updates (March 9, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (March 9, 2021)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *