What is the deal with KB 2260240 and its cousin KB 2742596–MS13-004?

The purpose of this particular blog post is to try and clear up some of the confusion swirling around about these two KBs and describe the circumstances under which one can expect to encounter the particular issue that KB 2260240 was designed to fix. What I am hoping is that this blog post will help both, software developers and IT system administrators to understand when to apply the hotfix ( or the security roll-up that contains it, MS13-004 ).

The fix is for a very specific issue in the System.DirectoryServices.AccountManagement.DomainContext object on a specific set of operating system versions. The problem does not exist on the newer versions of the OS with the same version of the .Net Framework ( .Net 3.5 SP1/.Net 2.0 ). The fix will only apply to machines that are running applications which use the System.DirectoryServices.AccountManagement namespace. 

• How do I know I need to insure this hotfix is applied in my environment?

If the client OS is Windows Vista, Windows 2008, Windows XP or Windows 2003, you will need to insure that the hotfix is installed or that the MS13-004 update has been applied. The hotfix is rolled into the security update MS13-004.

If the client OS is Windows 7, Windows 2008 R2 or higher, then the fix has already been rolled up into the .net 3.5 version for that OS and you will not need this hotfix, however, if there is a version of security update MS13-004 for your particular OS it should be installed since the roll-up will contain other important security fixes as well.

Testing if a client has the fix installed or not is very easy once the client is joined to a 2008 R2 Functional Mode domain. Below is a short code snippet which can be used to build a console application that targets .Net Framework 3.5. If you build the code into an EXE with the name domainmode.exe, then the EXE can be transported to the client from a build box then executed with a simple command line similar to the following:

      domainmode.exe mydomain.com mydomain\user Password    

The application will create a DomainContext object using the specified domain and credential and then attempt to display the Domain.DomainMode property. If an exception is thrown by the application indicating that the domain mode is invalid, then the hotfix needs to be applied. If the domain mode is displayed, then you know this system will not experience the issue described in KB 2206240 for this domain mode.

NOTE:

The DomainMode issue will be exhibited on out of the box windows 7/2008 R2 systems running on windows 2012 or higher domain functional mode domains if the application is built to target .Net Framework 3.5. If you experience this issue, the recommended solution is to update your application to the current version of the framework. Otherwise, you will need to report the issue to Microsoft. As with all issues that might be a bug which you are requesting a fix for, be prepared to clearly articulate why you need the particular behavior fixed in an older version of the framework. The bar for such fixes is very high, especially if a simple work around is available.

Source code for simple domainmode.exe test console application:

 using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.DirectoryServices.ActiveDirectory;

namespace DomainMode

{

    class Program

    {

        static void Main(string[] args)

        {

            DirectoryContext dctx = new DirectoryContext(DirectoryContextType.Domain, args[0], args[1], args[2]);

            Domain dm = Domain.GetDomain(dctx);

            Console.WriteLine(dm.DomainMode.ToString());

        }

    }

}

Another way to test the DomainMode enumeration is a very simple for loop. By looping through a set of integers from 1 to 15, one can view all of the available DomainMode strings available on the a given client. Below is an example of just such a for loop. By using this method, one can determine just which DomainMode values are available on the client and then check for the specific domain mode string they need for their environment:

Example of a Powershell Function Definition to check DomainModes:
#
# DISCLAIMER:

#

# This sample is provided as is and is not meant for use on a production environment.

# It is provided only for illustrative purposes. The end user must test and modify the

# sample to suit their target environment.

#

# Microsoft can make no representation concerning the content of this sample. Microsoft

# is providing this information only as a convenience to you. This is to inform you that

# Microsoft has not tested the sample and therefore cannot make any representations

# regarding the quality, safety, or suitability of any code or information found here.

#

function List-DomainModes

{

$ret = @()

$modeVal = 0

while($true)

{

try

{

$dm = [System.DirectoryServices.ActiveDirectory.DomainMode]$modeVal

$ret = $ret + $dm.ToString()

$modeVal++

}

catch

{

break;

}

}

return $ret

}

Save the powershell code to a PS1 file then dot source the file into a runspace and execute. Be sure to put a space between the . at the beginning of the line and the path to script file. Below is an example of how to execute the List-DomainModes function

PS C:\psh> . c:\psh\domainmode.ps1

PS C:\psh> List-DomainModes

Windows2000MixedDomain

Windows2000NativeDomain

Windows2003InterimDomain

Windows2003Domain

Windows2008Domain

Windows2008R2Domain

Windows8Domain

Windows2012R2Domain

PS C:\psh>

Example of how to enumerate all available DomainMode value types on a given client Using C#:

/*######################################################################

#
# DISCLAIMER:

#

# This sample is provided as is and is not meant for use on a production environment.

# It is provided only for illustrative purposes. The end user must test and modify the

# sample to suit their target environment.

#

# Microsoft can make no representation concerning the content of this sample. Microsoft

# is providing this information only as a convenience to you. This is to inform you that

# Microsoft has not tested the sample and therefore cannot make any representations

# regarding the quality, safety, or suitability of any code or information found here.

#

*/

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.DirectoryServices.ActiveDirectory;

namespace KB2260240FixChk

{

// Windows2008R2Domain

class Program

{

static void Main(string[] args)

{

DomainMode dm = new DomainMode();

dm = (DomainMode)8;

string dmstr;

bool fixfd = false;

for (int i = 0; i < 15; i++ )

{

dm = (DomainMode)i;

dmstr = dm.ToString();

if( dmstr == "Windows2008R2Domain")

{

fixfd = true;

}

if (i.ToString() == dmstr)

{

Console.WriteLine("DomainMode Enumeration Complete");

break;

}

Console.WriteLine(dmstr);

}

if (fixfd) Console.WriteLine("Windows2008R2Domain mode found. KB2260240 has been applied");

else Console.WriteLine("no Windows2008R2Domain in DomainMode enumeration");

}

}

}