Sunday update on Microsoft Security Advisory 935964

Hello everyone,

This is Christopher Budd. I wanted to take a moment and provide a brief update on the situation from our work over the weekend.

As of tonight, the situation remains unchanged. Our teams are continuing to work on developing and testing updates for this issue, and our ongoing monitoring of the situation shows that attacks are still not widespread.

We don’t have any new estimates on release timelines. I can say that our ongoing testing so far has not raised any issues that would make us believe we might be looking at a longer timeline. However, testing is ongoing.

While we called this out in our security advisory and our initial and subsequent postings, we have still have gotten some questions from customers about whether this vulnerability exists in any non-server Windows operating systems. The answer to that is no: this vulnerability only affects Windows server operating systems, specifically those with DNS installed.

We know this because as part of our Software Security Incident Response Process (SSIRP) after we identify a vulnerability one of the first things we do is to establish the scope of affected software. We do this looking at the source code for the affected component in all publicly supported versions of the product. We look to see if the code that contains the vulnerability is present in the source code. In the case of this vulnerability, the code with the vulnerability is in the DNS server component. That component isn’t present in Windows client operating systems. Because of this, we can say that client systems are not at risk from this vulnerability.

As always, we’ll keep you updated with new information about our work and the situation as we have it.



*This posting is provided “AS IS” with no warranties, and confers no rights.*