Monthly Security Bulletin Webcast Q&A – September, 2008

Register now for the September 2008 Security Bulletin Webcast

Security Bulletin Webcast Q&A Index


Hosts:                   Christopher Budd, Security Response Communications Lead

                                Adrian Stone, Lead Security Program Manager (MSRC)

Website:             TechNet/security

Chat Topic:         September 2008 Security Bulletin
Date:                     Wednesday, September 9, 2008


Q: Are there any issues between Microsoft and Altiris that is delaying the availability of this month’s bulletins?

A: We are not aware of any issues. We advise that you contact Altiris as we cannot speak for them.


Q: When our student’s laptops were updated yesterday, the “Print To OneNote” printer disappeared. We have not been able to restore it yet and need something right away.

A: The symptom you describe has not been reported to us regarding this bulletin. We encourage you to contact the Microsoft Support group for OneNote (this will be the Office Support Group) for the quickest resolution to this problem.  If something is found to be reproducible, we can add information on this to the Knowledge Based (KB) Article associated with this bulletin.


Q: Does MS08-052 stop any services upon installation (we would prefer to preinstall the patch and reboot 48 hours later during a maintenance window for our services)?

A: This is difficult to answer with a “yes” or “no”.  The Operating System versions of this update do require a reboot.  Some individual components like Office and the .Net Framework do not require restarts, nor do they require service downtime.  Only the SQL updates require service restarts, and the potential issues around doing this are documented in KB954606.  Ultimately I need to refer you to the public bulletin for MS08-052, as the restart requirements are broken down in detail per affected component, and you will need to answer this based on your own environment.


Q: What is common between MS08-052 and MS08-054?

A: There is no relationship between MS08-052 and MS08-054.


Q: Is Windows 2003 with Internet Explorer (IE) 6 and IE 7 vulnerable or not for MS08-052?  It says in the Security Bulletin, that the unaffected software includes these.

A: The only version of IE that is affected in MS08-052 is IE6 Service Pack (SP) 1 on Windows 2000 SP4


Q: Older GDI+ bulletins included an EST (Enterprise Scanner Tool) to help locate 3rd party redistributions of the affected DLLs.  Why was no such tool released for this month for MS08-052? Has this technique been used before to insure that older DLLs don’t overwrite updated files, or is this a first?  Can you elaborate on how this works and why it is necessary?

A: The EST released for MS04-028 was needed to fill the gap between the older MBSA 1.2.1 and the New Microsoft Update Service (in 2004) detection for updates.  This tool has now gone out of support, October 2007, so there is no EST released for this month.


Q: :  Microsoft Knowledge Base Article 894199; does not give information on MS08-055 or KB955047… is there a cause/reason for not listing?

A: KB894199 applies only to releases on the Microsoft Windows Update Web site. This article does not apply to security releases for products that are not supported by Windows Update.


Q: Missed the beginning – any exploits for MS08-052?

A: We are unaware of neither any PoC in the wild nor any active exploitation at this time

Q: Does MS08-052 also supersede MS07-050?  It’s stated under Windows Operating System and Components -> Internet Explorer 6

A: This is correct… MS08-052 supersedes MS07-050 for customers with IE6 SP1 installed on Windows 2000 SP4. MS08-052 supersedes various bulletins on a product by product level.


Q: MS08-052 has a fix for MSSQL 2005 and 2000.  The comment is that this bulletin replaces the previous July bulletin.

A: MS08-052 includes an update for SQL Server 2005 deployments that have Reporting Services installed.   This update supersedes the July bulletin for SQL Server 2005.  SQL Server 2000 Reporting Services is a separate installation from SQL Server 2000.  The MS08-52 does not supersede the July bulletin for SQL 2000.


Q: MS08-055. OneNote is not always installed. Is the vulnerability exploitable without OneNote installed?

A: The attack vector is in the OneNote protocol handler and the vulnerable code spans across multiple office components, we recommend you update your office installation even if you do not have OneNote installed.


Q: How long from the time of bulletin release does it normally take to add the Knowledge Base number to the Microsoft Update Tool used for Software Management Server (SMS) updates?

A: This typically happens right away, but global replication can introduce a delay of perhaps a couple of hours.


Q: Why does bulletin MS08-052 not indicate the SP for Office 2003/2007; so the patch will not be included, and MS08-053 will not be included in future SPs for Windows Server 2003/Vista/2008?  Are these typos?

A: For MS08-053, the fix is contained in the Windows Media Encoder.  This is an optional component and not applicable for the OS service pack.  For MS08-52, there is currently no Office 2003 SP4 scheduled.  However, it should be included in future service packs for Office 2007.


Q: Since MS08-052 replaces MS08-040, can we expect the same “nightmare” to install on SQL as we got with MS08-040?   (Having to stop services, no way to uninstall, etc)

A: The installer still requires stopping and starting SQL Service in order to patch.


Q: MS08-054 why doesn’t’ this apply to Windows Server 2003?

A: This bulletin affects Windows Media Player 11 only, which is not supported on Windows Server 2003.


Q: So if I have windows 2000 servers with .NET 1.1, 2.0 and do NOT develop applications on the server do I need to install MS08-052?  I would say no since I am NOT creating applications that would be distributed from the server.

A: While there is no default attack vector for affected .NET Framework products offered by the GDI+ security update, customers are encouraged to install the update in the event a third party application based on the .NET Framework is installed and introduces a vulnerability specific to that application


Q: Regarding MS08-052, if the server has SQL installed, does the Windows patch have to be applied before the SQL patch?

A: There is no specific order requirement for applying the MS08-052 updates.

Q: Is it safe to replace all DLLs with the MS08-052 versions including Office Communicator 2005/2007?

A: Due to application concerns, it is rarely safe to replace any DLL for an application in a 1-to-1 mapping without installing an available patch or security update for that product. Microsoft has provided updates to all affected products with reliable attack vectors. With 3rd party applications that redistribute and use GDI+.dll it is up to that Independent Software Vendors (ISV) to assess their product for applicability and release an update if required. Microsoft has provided updates for various Developer applications which will assist those ISVs in creating their updates.


Q: Can you verify which update MS08-052 replaces?  The slides state MS08-050 and the website say it replaces MS07-050.  The link points to MS07-050 as well.

A: MS08-052 supersedes many previous security updates. This supecedence is based off of the individual security update offering. The Bulletin lists the supersedence by security update, but the total supersedence list is: MS04-028, MS07-050, MS08-019, MS08-040, MS08-044, & MS08-051


Q: I would like to know the best practice to confirm a patch (MS08-52) was successfully installed (Win2k server and Win2k3 server). Event log?

A: The MBSA is the “Best Practice”. We also give information on file version verification in the KB and bulletin associated with the package.  This said, some products, like Digital Image 2006, affected by MS08-052 do not have any supported tools.  The File versions are the only thing to go by.


Q: I installed KB953404 in Windows XP yesterday, but I cannot remove it. Can you confirm this?

A: You should be able to un-install this update, if you are having problems uninstalling it please contact Customer Service and Support (CSS) –


Q: KB953404 and KB953405 are both MS Office… Office XP and Office 2003 accordingly. On the WSUS Server: KB953404 is MS08-055 – and – KB953405 is MS08-052 Is that correct? I suspect that they should both be MS08-055

A: Our FAQ says:  MS08-052 also describes vulnerabilities in Microsoft Office XP Service Pack 3? How does MS08-052 relate to this bulletin (MS08-055)? As part of the cumulative servicing model for Microsoft Office XP, this security update for Microsoft Office XP Service Pack 3 (KB953405) also addresses the vulnerabilities described in MS08-052. Users with Microsoft Office XP Service Pack 3 installed will have to install this security update but will only need to install it once.