question

KaniSP-1325 avatar image
0 Votes"
KaniSP-1325 asked BruceZhang-MSFT answered

IIS Security Patches

Is our Microsoft Include all IIS related to Security updates/patches along with Windows OS updates?

If yes what are the applicable Windows Servers OS and from When.

IS there a KB article which has the details?

Found the below link. But nothing from Microsoft
https://forums.iis.net/t/1236298.aspx?How+to+update+IIS+


CVE-2021-31166 - included in Cumulative update for Windows 10. Not sure is it same for Windows 2008/2008 R2/2012 R2 / 2016

windows-server-iis-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yagmoth555 avatar image
0 Votes"
yagmoth555 answered yagmoth555 edited

Hi

Yes it do the IIS update with the OS Windows Update.

To double check if the KB is installed and to search for CVE I recommend msrc.microsoft.com.

For CVE-2021-31166 it seem to impact only Windows 10, version 2004, all editions Windows Server version 2004 Windows 10, version 20H2, all editions Windows Server, version 20H2, all editions Windows 10, version 21H1, all editions.

Check there; https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-31166

And there for any download; https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003173


Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered

Hi @KaniSP-1325 ,

The updates of different versions of IIS are accompanied by the updates of windows OS and windows server OS.

1.0----Included with Windows NT 3.51 SP 3
2.0----Included with Windows NT Server 4.0.
3.0----Included with Windows NT Server 4.0 Service Pack 3
4.0----Self-contained download
5.0----Built-in component of Windows 2000.
5.1----Built-in component of Windows XP Professional.
6.0----Built-in component of Windows Server 2003.
7.0----Built-in component of Windows Vista and Windows Server 2008.
7.5----Built-in component of Windows 7 and Windows Server 2008 R2.
8.0----Built-in component of Windows 8 and Windows Server 2012.
8.5----Built-in component of Windows 8.1 and Windows Server 2012 R2
10----Built-in component of Windows 10 and Windows Server 2016

If you check the article about CVE-2021-31166, you will find all the systems supported by this update.
131728-3.jpg

If you want your system(Windows 2008/2008 R2/2012 R2 / 2016) to be supported by this update, you can report your needs in the Microsoft Lifecycle Policy.



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.


Best regards,
Bruce Zhang


3.jpg (89.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.