С 15.06.2022 г. IE 11 не поддерживается
IE11 станет недоступным с 14.02.2023. Сайты, созданные для IE, можно перезапустить в режиме IE в Microsoft Edge.
В программном продукте Microsoft обнаружена проблема безопасности, которая может повлиять на вашу систему.
Важно! Если выбрать язык ниже, содержимое страницы динамически отобразится на выбранном языке.
-
Date Published:
15.01.2022
File Name:
Windows6.1-KB2992611-x86.msu
В программном продукте Microsoft обнаружена проблема безопасности, которая может повлиять на вашу систему. Чтобы защитить компьютер, установите данное обновление, выпущенное корпорацией Майкрософт. Полный список проблем, устраняемых этим обновлением, см. в соответствующей статье базы знаний Майкрософт. После установки этого обновления может потребоваться перезагрузить компьютер.
-
Поддерживаемые операционные системы
Windows 7 Service Pack 1
-
- Чтобы начать загрузку, нажмите кнопку Загрузить и выполните одно из указанных действий или выберите другой язык в списке Изменить язык и нажмите кнопку Изменить.
- Чтобы начать установку сразу, нажмите кнопку Выполнить.
- Чтобы загрузить файл на компьютер и выполнить установку позднее, нажмите кнопку Сохранить.
-
Имеются другие критические обновления для системы безопасности. Чтобы получить последние обновления для системы безопасности, посетите веб-сайт Центра обновления Windows и нажмите кнопку Быстрая установка. Чтобы обновления загружались непосредственно на компьютер, посетите веб-сайт Безопасность дома и выполните рекомендации по обеспечению защиты.
Update Windows 7 KB2992611
Update Windows 7 KB2992611. Security Update for Windows 7 for x86-based and x64-based Systems (KB2992611).
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the KB2992611 associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
Install resources KB2992611
Architecture: X86 & AMD64
Classification: Security Updates.
Supported products: Windows 7.
Supported languages: all
MSRC Number: MS14-066
MSRC severity: Critical.
KB article numbers: 2992611
Restart behavior: Can request restart.
May request user input: No
Must be installed exclusively:
Requires network connectivity: No
Uninstall Notes: This software update can be removed by selecting View installed updates in the Programs and Features Control Panel.
Uninstall Steps: n/a
Rate this program
- 1
- 2
- 3
- 4
- 5
4.0 out of 5 stars (1 Rating)
Windows 7 KB2992611 32-bit
Language
All languages
MD5 Checksum
3c674e0eb7ad99ca10e503d4d8b8e7e2
Windows 7 KB2992611 64-bit
Language
All languages
MD5 Checksum
b888d11ca01c20cbdfe93f274c5f8439
Secure and Fast Download — Software Verified
Security Update for Windows 7 (KB2992611) |
A security issue has been identified in a Microsoft software product that could affect your system.
- A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.
| Knowledge Base Articles: |
|
|---|---|
| Security Bulletins: |
|
Files
Status: LiveThis download is still available on microsoft.com. Since you’re using a legacy operating system, the downloads below are archives provided by the Internet Archive Wayback Machine from the Microsoft Download Center prior to August 2020. |
| File | Size |
|---|---|
| Windows6.1-KB2992611-x86.msu
SHA1: |
3.06 MB |
System Requirements
Operating Systems: Windows 7 Service Pack 1
Installation Instructions
-
- To start the download, click the Download button and then do one of the following, or select another language from Change Language and then click Change.
- Click Run to start the installation immediately.
- Click Save to copy the download to your computer for installation at a later time.
Related Resources
- Microsoft Security Bulletin
Статья обновлена: 23 сентября 2024
ID: 15934
Статья применима к Kaspersky Thin Client (все версии).
Для работы Kaspersky Thin Client с ОС Windows 7 установите патчи Windows KB2992611, KB3080079 и KB4103712, а затем выполните настройку конфигурации на Windows 7 по инструкции ниже.
Шаг 1. Проверьте наличие патчей
Шаг 2. Скачайте и установите патчи
Шаг 3. Создайте и установите сертификат RDP с шифрованием SHA256
Шаг 4. Установите подключение к Windows 7 по RDP
Kaspersky Thin Client готов к работе с Windows 7, но изображение на экране может содержать артефакты. Чтобы исправить эту проблему, выполните следующие шаги.
Шаг 5. Обновите RDP до версии 8.0
Шаг 6. Измените групповую политику Windows 7
Спасибо за ваш отзыв, вы помогаете нам становиться лучше!
Спасибо за ваш отзыв, вы помогаете нам становиться лучше!
(updated 11/18 for re-issue, see below)
Microsoft released one of the most important patches in many years on
Tuesday, and while I would advise you install it right away I also want to
make you aware of some odd behavior I found that could lead to problems.
First, a primer:
Here
are the release notes and here
is more information. This is the worst kind of exploit there can be; a
remote code execution with no workarounds. If one knew the details, they
could easily exploit any Microsoft based internet facing server supporting
TLS and then turn around and use it to infect unpatched Windows based
clients. Obviously you should patch immediately.
That said, you will notice that they mention the addition of four new
cipher suites but there is one other change that may impact you that is
not mentioned. I’ve found that this patch also re-orders the cipher
suites. Historically Microsoft has notified customers when re-ordering
cipher suites; see KB2919355
for example.
This is important to understand for two reasons, one theoretical and one
practical.
- Theoretical is that changing cipher suites impacts your security
posture, and one should always know these things going into a patch.
Fortunately most of the re-order does seem in line with a tighter
security policy. - Practical is that this can break connectivity with some applications.
Specifically, one of my peers found that Java 6 based applications
attempting purposely or otherwise to use the ECDH
key agreement protocol will fail to connect. This happens when Windows
based services present ECDH before the older RSA. Side note:
Oddly the Microsoft JDBC driver tries to negotiate SSL even if it isn’t
being used for a connection to SQL.
Here are the cipher suite details, first 2008 R2:
| 2008 R2 Default Before KB299261 | 2008 R2 Default After KB299261 |
|---|---|
| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 |
| TLS_RSA_WITH_RC4_128_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | TLS_RSA_WITH_NULL_MD5 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| SSL_CK_RC4_128_WITH_MD5 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 | TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_NULL_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_NULL_SHA | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | |
| TLS_RSA_WITH_RC4_128_SHA | |
| TLS_RSA_WITH_RC4_128_MD5 | |
| TLS_RSA_WITH_NULL_SHA256 | |
| TLS_RSA_WITH_NULL_SHA | |
| SSL_CK_RC4_128_WITH_MD5 | |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
And 2012 (not R2):
| 2012 Default Before KB299261 | 2012 Default After KB299261 |
|---|---|
| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_RSA_WITH_RC4_128_MD5 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 |
| SSL_CK_RC4_128_WITH_MD5 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_NULL_SHA256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_NULL_SHA | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | |
| TLS_RSA_WITH_RC4_128_SHA | |
| TLS_RSA_WITH_RC4_128_MD5 | |
| TLS_RSA_WITH_NULL_SHA256 | |
| TLS_RSA_WITH_NULL_SHA | |
| SSL_CK_RC4_128_WITH_MD5 | |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
2012 R2 is unchanged since the aforementioned April patch.
The point is that you should ensure your applications & clients don’t
have an issue with the cipher suite re-order. It’s unlikely that your apps
will have a problem but worthwhile to do a quick connectivity check in a
test environment to be sure. If you do have issues you can re-order your
suites after the patch by manipulating the registry keys listed here
(not necessarily deleting the keys they list); use the before/after
information above for reference. For more information about prioritizing
cipher suites, see this.
It’s unfortunate that they didn’t communicate this change as it may have
unanticipated impacts. Here’s hoping they return to their generally good
communication in the next cycle.
Update 11/18/2014:
As I’m sure you’ve heard, Microsoft has released
three patches today, one of which is a re-issue of the patch mentioned
in this post. The re-issue removes the four newly added cipher suites as
there have been multiple problems reported with them. Microsoft also updated
their article to
include the following statement:
«Customers who customized their cipher suite priority list should review
their list after they apply this update to make sure that the sequence
meets their expectations.
Removing these cipher suites does not affect the security updates that are
part of this release. On November 18, 2014, a new secondary package was
added to the release for Windows Server 2008 R2 and Windows Server 2012 to
achieve this. This new package is update 3018238, and it will install
automatically and transparently together with security update 2992611. It
will appear separately in the list of installed updates. If you already
have security update 2992611 installed, you will notice that security
update 2992611 will be reoffered (for Windows Server 2008 R2 or Windows
Server 2012 only) by Windows Update or by Windows Server Update Services
(WSUS) to make sure that update 3018238 is also installed.
The cipher suites may be re-added to the default priority list in a future
release after the community has had an opportunity to make sure of correct
execution in all customer scenarios.
«
I’ve just re-applied the newly released patches using WSUS to evaluate them.
Note that you must re-appy using the same method you originally applied
with, meaning that if you downloaded manually you would need to repeat that,
and if you applied via WSUS you would need to use that methodology. Upon
reviewing the «new» cipher suite order I was both surprised and happy with
what I found:
| Server 2008 R2 2992611 Patch 1 (11/14) |
Server 2008 R2 2992611 Patch 2 (11/18) |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 | TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 | TLS_RSA_WITH_RC4_128_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_RSA_WITH_NULL_MD5 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_RC4_128_MD5 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | SSL_CK_RC4_128_WITH_MD5 |
| TLS_RSA_WITH_AES_256_CBC_SHA | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_NULL_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS_RSA_WITH_NULL_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | |
| TLS_RSA_WITH_RC4_128_SHA | |
| TLS_RSA_WITH_RC4_128_MD5 | |
| TLS_RSA_WITH_NULL_SHA256 | |
| TLS_RSA_WITH_NULL_SHA | |
| SSL_CK_RC4_128_WITH_MD5 | |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
And now 2012:
| Server 2012 2992611 Patch 1 (11/14) |
Server 2012 2992611 Patch 2 (11/18) |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS_RSA_WITH_RC4_128_SHA |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | TLS_RSA_WITH_RC4_128_MD5 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | SSL_CK_RC4_128_WITH_MD5 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_NULL_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_NULL_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | |
| TLS_RSA_WITH_RC4_128_SHA | |
| TLS_RSA_WITH_RC4_128_MD5 | |
| TLS_RSA_WITH_NULL_SHA256 | |
| TLS_RSA_WITH_NULL_SHA | |
| SSL_CK_RC4_128_WITH_MD5 | |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
Again, no changes for 2012 R2. If the above looks familiar, good eye.
They’re the same as pre-patch:
Server 2008 «patch 2» vs. no patch:
| Server 2008 R2 2992611 Patch 2 (11/18) |
Server 2008 R2 Before Either 2992611 Patch |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_RC4_128_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
| TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_MD5 |
| SSL_CK_RC4_128_WITH_MD5 | SSL_CK_RC4_128_WITH_MD5 |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
| TLS_RSA_WITH_NULL_SHA256 | TLS_RSA_WITH_NULL_SHA256 |
| TLS_RSA_WITH_NULL_SHA | TLS_RSA_WITH_NULL_SHA |
Server 2012 «patch 2» vs. no patch:
| Server 2012 2992611 Patch 2 (11/18) |
Server 2012 Before Either 2992611 Patch |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_RC4_128_SHA |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
| TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_MD5 |
| SSL_CK_RC4_128_WITH_MD5 | SSL_CK_RC4_128_WITH_MD5 |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 |
| TLS_RSA_WITH_NULL_SHA256 | TLS_RSA_WITH_NULL_SHA256 |
| TLS_RSA_WITH_NULL_SHA | TLS_RSA_WITH_NULL_SHA |
So as it pertains to the cipher suite order, we’re right back where we
started. I’m sure this will alleviate some of the issues some customers
encountered. Keep in mind that there is more to this patch (binaries) than
the cipher suite re-order, so to echo the previous assesment it should be
installed.