MS13-095: Vulnerability in XML digital signatures could allow denial of service: November 12, 2013

Symptoms
Microsoft has released security bulletinMS13-095. To view the complete security bulletin, visit one of the following Microsoft websites:Home users:
http://www.microsoft.com/security/pc-security/updates.aspx
(http://www.microsoft.com/security/pc-security/updates.aspx)Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now:
http://update.microsoft.com/microsoftupdate/
(http://update.microsoft.com/microsoftupdate/)IT professionals:
http://technet.microsoft.com/security/bulletin/MS13-095
(http://technet.microsoft.com/security/bulletin/MS13-095)How to obtain help and support for this security update Help installing updates: Support for Microsoft Update
(http://support.microsoft.com/ph/6527)
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
(http://technet.microsoft.com/security/bb980617.aspx)
Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center
(http://support.microsoft.com/contactus/cu_sc_virsec_master)
Local support according to your country: International Support
(http://support.microsoft.com/common/international.aspx)

Resolution
Replacement informationSecurity update 2868626 replaces security update 2661254.
Note Security update 2661254 lists several known issues that occur after you install the update. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2661254
(http://support.microsoft.com/kb/2661254/) Microsoft Security Advisory: Update for minimum certificate key length

Useful shelf life of a system-state backup of Active Directory

Symptoms
Windows Backup, the backup tool that is included with Microsoft Windows Server 2003 and with Microsoft Windows 2000, can back up and restore Active Directory on Windows Server 2003 or Windows 2000 domain controllers. These backups can be performed while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.
If a nonauthoritative restore is performed by using Backup, the domain controller will contain the settings and entries that existed in the Domain, Schema, Configuration, and optionally the Global Catalog Naming Contexts when the backup was performed. Partial synchronization (replication) from other replicas within the enterprise then update all naming contexts hosted on the domain controller, overwriting the restored data.For more information about authoritative and nonauthoritative restores, click the following article number to view the article in the Microsoft Knowledge Base:
216243
(http://support.microsoft.com/kb/216243/) The effects on trusts and computer accounts when you authoritatively restore Active DirectoryWindows Server 2003 and Windows 2000 do not allow the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is the same as the “tombstone lifetime” setting for the enterprise. The default value for the tombstone lifetime entry is 60 days. This value can be set on the Directory Service (NTDS) config object.
Resolution
If your only backup of Active Directory is older than the tombstone lifetime setting, reinstall the server after confirming there is at least one surviving domain controller in the domain from which new replicas can be synchronized. You can lose all but one server in the domain and still recover without a loss of data, assuming that the remaining survivor holds current information.
If every server in the domain is destroyed when you use the server in a single domain controllerforest or in a single domain that contains multiple domain controllers, restore one server from an arbitrarily outdated backup. Then, replicate all other servers from the restored one. Howerver, you cannot restore the server when you use the server in a multi-domain forest.In this scenario, information that was written to Active Directory after the outdated backup was performed is not available.
The tombstone lifetime attribute is located on the enterprise-wide DS config object. The path for this attribute is:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM Use the Active Directory editing tool of your choice so that the “tombstoneLifetime” attribute is set to be older than the backup used to restore Active Directory. Supported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfaces (ADSI) scripts.
Note This information assumes that the backup is not older than the default “tombstoneLifetime” setting. Otherwise, the objects have already been deleted from the database. In this case, an authoritative restore may be the better alternative if there are multiple domain controllers.
The “tombstoneLifetime” attribute represents the number of days a backup of Active Directory can be used in addition to the frequency with which Garbage Collection routines (removing items previously marked for deletion) are run.For more information about Garbage Collection, click the following article number to view the article in the Microsoft Knowledge Base:
198793
(http://support.microsoft.com/kb/198793/) The Active Directory database Garbage Collection processChanges to the tombstone lifetime attribute in Windows Server 2003 Service Pack 1 The default tombstone lifetime value has sometimes proven to be too short. For example, pre-staged domain controllers are sometimes in transit to their final destination for longer than 60 days. Administrators regularly do not bring offline domain controllers into operation or resolve replication failures for longer than the number of days that is specified by the default tombstone lifetime attribute.Windows Server 2003 Service Pack 1 (SP1) increases the attribute value from 60 to 180 days in the following scenarios:You useWindows Server 2003 SP1 slipstreamed media to upgrade a Microsoft Windows NT 4.0 domainto a Windows Server 2003 domain.When you perform the upgrade, you create a new forest.You promote a computer that is running Windows Server 2003 SP1 to a domain controller.When you promote the domain controller, you create a new forest.The original release version of Windows Server 2003 SP1 does not modify the value of the tombstone lifetime attribute when the following conditions are true: You upgrade a Windows 2000 domain to a Windows Server 2003 domain by using Windows Server 2003 SP1 slipstreamedmedia.You install Windows Server 2003 SP1 on domain controllers that are running the original release version of Windows Server 2003.Increasing the tombstone lifetime attribute for a domain to 180 days increases the following items: The useful life of backups that are used for data recovery scenarios.The useful life of system state backups that are used for promotions using the Install from Media feature.The time that domain controllers can be offline. (Computers that are built in a staging site and shipped to destination sites frequently approach tombstone lifetime expiration.)Thetime that a domain controller may be offline and still return to the domain successfully.The time that a domain controller may experience a replication failure and still return to the domain successfully.The number of days that the originating domain controller retains knowledge of deleted objects.Technical support for Windows x64 editions Your hardware manufacturer provides technical support and assistance for Microsoft Windows x64 editions. Your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.
For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
http://www.microsoft.com/windowsxp/64bit/default.mspx
(http://www.microsoft.com/windowsxp/64bit/default.mspx) For product information about Microsoft Windows Server 2003 x64 editions, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/64bit/x64/editions.mspx
(http://www.microsoft.com/windowsserver2003/64bit/x64/editions.mspx)

The CDS_RESET flag of the ChangeDisplaySettingsEx function does not work as expected in Windows Vista or in Windows Server 2008

Symptoms
You use the ChangeDisplaySettingsEx function together with the CDS_RESET flag to reinitialize the graphics adapter on a computer that runs Windows Vista or Windows Server 2008. However, if the requested settings are the same as the current settings of the display adapter, the system does not trigger an activation of the video present network (VidPN) on the display adapter. Therefore, the graphics adapter is not fully reinitialized.
Resolution
After you apply this hotfix, you can set a CDS_RESET_EX flag for the ChangeDisplaySettingsEx function to fully reinitialize the video driver. The signature of the CDS_RESET_EX flag is as follows:

#define CDS_RESET_EX 0x20000000Hotfix informationImportant Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a “Hotfix download available” section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)Note The “Hotfix download available” form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.PrerequisitesTo apply this hotfix on a Windows Vista-based computer, you must have Windows Vista Service Pack 1 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
935791
(http://support.microsoft.com/kb/935791/) How to obtain the latest Windows Vista service packNo prerequisites are required for Windows Server 2008-based computers.Restart requirementYou have to restart the computer after you apply this hotfix.Hotfix replacement informationThis hotfix does not replace a previously released hotfix.File information The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.Windows Vista and Windows Server 2008 file information notesThe files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Collapse this tableExpand this table
VersionProductMilestoneService branch6.0.6000.16xxxWindows VistaRTMGDR6.0.6000.20xxxWindows VistaRTMLDR6.0.6001.18xxxWindows Vista SP1 and Windows Server 2008 SP1SP1GDR6.0.6001.22xxxWindows Vista SP1 and Windows Server 2008 SP1SP1LDRService Pack 1 is integrated into Windows Server 2008. The .manifest files and the .mum files that are installed in each environment are listed separately in the “Additional file information for Windows Server 2008 and for Windows Vista” section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.For all supported x86-based versions of Windows Server 2008 and Windows Vista
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformCdd.dll6.0.6001.2238036,86418-Feb-200905:52x86Dxgkrnl.sys6.0.6001.22380625,15218-Feb-200903:30x86Win32k.sys6.0.6001.223802,033,66418-Feb-200903:31x86For all supported x64-based versions of Windows Server 2008 and Windows Vista
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformCdd.dll6.0.6001.2238047,10418-Feb-200907:50x64Dxgkrnl.sys6.0.6001.22380883,71218-Feb-200905:27x64Win32k.sys6.0.6001.223802,743,29618-Feb-200905:29x64For all supported Itanium-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformCdd.dll6.0.6001.22380105,47218-Feb-200904:51IA-64Dxgkrnl.sys6.0.6001.223801,981,95218-Feb-200902:38IA-64Win32k.sys6.0.6001.223806,634,49618-Feb-200902:39IA-64

An ASP.NET request that has lots of form keys, files, or JSON payload members fails with an exception

Symptoms
Microsoft security update MS11-100 limits the maximum number of form keys, files, and JSON members to 1000 in an HTTP request. Because of this change, ASP.NET applications reject requests that have more than 1000 of these elements. HTTP clients that make these kinds of requests will be denied, and an error message will appear in the web browser. The error message will usually have an HTTP 500 status code. This new limit can be configured on a per-application basis. Please see the “Resolution” section for configuration instructions.

Resolution
ASP.NET requests that have lots of form keys, files, or JSON payload receive an error response from the server. The Application log on the server has a Warning entry with a Source that is a specific version of ASP.NET, and an Event ID of 1309. The event log contains one of the following messages:

Message 1:

Application information:
Application domain: /LM/W3SVC/1/ROOT/<App Domain>
Trust level: Medium
Application Virtual Path: <VDIR Path>
Application Path: <App Path>
Machine name: <Machine Name>
Process information:
Process ID: 0001
Process name: w3wp.exe
Account name: IIS APPPOOL\DefaultAppPool
Exception information:
Exception type: HttpException
Exception message: The URL-encoded form data is not valid.
at System.Web.HttpRequest.FillInFormCollection()
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Message 2:

Application information:
Application domain: /LM/W3SVC/1/ROOT/<App Domain>
Trust level: Medium
Application Virtual Path: <VDIR Path>
Application Path: <App Path>
Machine name: <Machine Name>
Process information:
Process ID: 0001
Process name: w3wp.exe
Account name: IIS APPPOOL\DefaultAppPool
Exception information:
Exception type: InvalidOperationException
Exception message: Operation is not valid due to the current state of the object.
at System.Web.HttpRequest.FillInFilesCollection()
at System.Web.HttpRequest.get_Files()
at FileUpload.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint
Message 3:

Application information:
Application domain: /LM/W3SVC/1/ROOT/<App Domain>
Trust level: Medium
Application Virtual Path: <VDIR Path>
Application Path: <App Path>
Machine name: <Machine Name>
Process information:
Process ID: 0001
Process name: w3wp.exe
Account name: IIS APPPOOL\DefaultAppPool
Exception information:
Exception type: InvalidOperationException
Exception message: Operation is not valid due to the current state of the object.
at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth)
at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)
at System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer)
at System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit)
at System.Web.Script.Serialization.JavaScriptSerializer.DeserializeObject(String input)
at Failing.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
The IIS log file shows an entry that resembles the following:
2011-01-01 00:00:00 ::1 POST /machine/default.aspx – 80 – ::1 – 500 0 0 187

Event ID 5719 is logged when you start a Domain Member

Symptoms
Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration
(http://support.microsoft.com/kb/322756/) in case problems occur.
Consider the following scenario: You have a computer that is running one of theoperating systems that is mentioned inthe “Applies to” section.The computer is joined to a domain.One of the following conditions is true: The computer has a Gigabit network adapter installed.You secure the network access by using Network Access Protection (NAP), network authentication, or another method.In this scenario, the following event is logged in the Systemlog when you start the computer:

Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5719Date: DateTime: TimeUser: N/A Computer: ServerDescription:No Domain Controller is available for domain <domain name> due to the following: There are currently no logon servers available to service the logon request. Make sure that the computer is connected to the network and try again. If the problem persists, contact your domain administrator.
Resolution
This issue may occur for any of the following reasons:You are using a Gigabit network adapter and the Netlogon service starts before the network is ready.Solutions that verify the health of the new network member delay the network connection and your ability to access domain controllers. If you have an automatic Direct Access channel connection enabled, this may also require more time to perform than Netlogon allows. The 802.1X authentication process delays connections to the domain controllers.The client experiences a delay to retrieve an IP address from the DHCP server. This delays the display of the network interface.

Troubleshooting AD Replication error 8606: “Insufficient attributes were given to create an object”

Symptoms
This article describes the symptoms and cause of an issue in which Active Directory replication is unsuccessful and generates error 8606: “Insufficient attributes were given to create an object. This object may not exist because it may have been deleted.” This article also describes a resolution for this issue.
Resolution
Symptom 1The DCDIAG reports that the Active Directory Replications test failed with error 8606: “Insufficient attributes were given to create an object.”

Starting test: Replications
[Replications Check, <Destination DC>] A recent replication attempt failed:
From <source DC> to <destination DC>
Naming Context: <directory partition DN path>
The replication generated an error (8606):
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected
The failure occurred at <date> <time>
The last success occurred at <date> <time>
Symptom 2Incoming replication that is triggered by the Replicate Now command in the Active Directory Sites and Services snap-in DSSITE.MSC is unsuccessful and generates the error “Insufficient attributes were given to create an object.” When you right-click a connection object from a source DC and then select Replicate now, the replication is unsuccessful and generates the following error: “Access is denied.” Additionally, you receive the following error message :  

Dialog title text: Replicate Now
Dialog message text: The following error occurred during the attempt to synchronize naming context <%active directory partition name%> from domain controller <source DC> to domain controller <destination DC>:
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
The operation will not continue
Symptom 3Various REPADMIN.EXE commands fail with error 8606. These commands include but are not limited to the following: 

Collapse this tableExpand this table
repadmin /add repadmin /replsumrepadmin /showreplrepadmin /showreplrepadmin /syncall
Symptom 4Event 1988 is logged shortly after one of the following events occurs:The first Windows Server 2008 R2 domain controller in the forest is deployed.Any update to the partial attribute set is made.Symptom 5NTDS replication event 1988 may be logged in the Directory Service event log of domain controllers that are trying to inbound-replicate Active Directory.

Type: Error
Source: NTDS Replication
Category: Replication
Event ID: 1988
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <hostname of DC that logged event, aka the “destination” DC in the replication attempt>
Description: The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected.
Source domain controller:
<fully qualified GUIDED CNAME of source DC>
Object:
<DN path of live object on source DC>
Object GUID:
<object GUID of object on source DCs copy of Active Directory>

SQL Server Questions and Answers, SQL QA