A new February 9, 2016 update resolves a vulnerability in Active Directory Federation Services (ADFS).
If an attacker successfully exploits this vulnerability, by sending certain input during forms-based authentication to an ADFS server, this can cause the server to become nonresponsive. The new update addresses the vulnerability by adding additional checks on input data during forms-based authentication.
This security update is rated Important for ADFS 3.0 when installed on x64-based editions of Windows Server 2012 R2 and Windows Server 2016 Technical Preview 4.
See Microsoft Knowledge Base Article 3134222 for additional information about this update – https://support.microsoft.com/kb/3134222
If the Windows Server 2012 R2 has not yet been updated with the April 2014 cumulative update for Windows Server 2012 R2, it is highly recommended to deploy this update right away.
See Microsoft Knowledge Base Article 2919355 for additional information about this update – https://support.microsoft.com/en-us/kb/2919355