IIS Security Patches

Pitchaikkani Shanmugam 6 Reputation points
2021-09-13T16:25:43.683+00:00

Is our Microsoft Include all IIS related to Security updates/patches along with Windows OS updates?

If yes what are the applicable Windows Servers OS and from When.

IS there a KB article which has the details?

Found the below link. But nothing from Microsoft
https://forums.iis.net/t/1236298.aspx?How+to+update+IIS+

CVE-2021-31166 - included in Cumulative update for Windows 10. Not sure is it same for Windows 2008/2008 R2/2012 R2 / 2016

Internet Information Services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Philippe Levesque 5,691 Reputation points MVP
    2021-09-13T17:38:17.67+00:00

    Hi

    Yes it do the IIS update with the OS Windows Update.

    To double check if the KB is installed and to search for CVE I recommend msrc.microsoft.com.

    For CVE-2021-31166 it seem to impact only Windows 10, version 2004, all editions Windows Server version 2004 Windows 10, version 20H2, all editions Windows Server, version 20H2, all editions Windows 10, version 21H1, all editions.

    Check there; https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-31166

    And there for any download; https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003173

    Thanks

    0 comments
  2. Bruce Zhang-MSFT 3,736 Reputation points
    2021-09-14T05:25:04.98+00:00

    Hi anonymous user ,

    The updates of different versions of IIS are accompanied by the updates of windows OS and windows server OS.

    1.0----Included with Windows NT 3.51 SP 3
    2.0----Included with Windows NT Server 4.0.
    3.0----Included with Windows NT Server 4.0 Service Pack 3
    4.0----Self-contained download
    5.0----Built-in component of Windows 2000.
    5.1----Built-in component of Windows XP Professional.
    6.0----Built-in component of Windows Server 2003.
    7.0----Built-in component of Windows Vista and Windows Server 2008.
    7.5----Built-in component of Windows 7 and Windows Server 2008 R2.
    8.0----Built-in component of Windows 8 and Windows Server 2012.
    8.5----Built-in component of Windows 8.1 and Windows Server 2012 R2
    10----Built-in component of Windows 10 and Windows Server 2016

    If you check the article about CVE-2021-31166, you will find all the systems supported by this update.
    131728-3.jpg

    If you want your system(Windows 2008/2008 R2/2012 R2 / 2016) to be supported by this update, you can report your needs in the Microsoft Lifecycle Policy.

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments