Monthly Security Bulletin Webcast Q&A – October, 2008

Register now for the Novemberr 2008 Security Bulletin Webcast

Security Bulletin Webcast Q&A Index


Hosts:                   Christopher Budd, Security Response Communications Lead

                                Adrian Stone, Lead Security Program Manager (MSRC)

Website:             TechNet/security

Chat Topic:         October 2008 Security Bulletin
Date:                     Wednesday, October 15, 2008



Q: What is the difference between Microsoft Update and Windows Update as patch mechanisms?

A: Windows Update only provides detection and deployment support for Microsoft Windows Components.  Microsoft Update provides a more comprehensive product coverage including many non-windows software components such as the Office suites


Q: MS08-058 CVE-2008-2947 has a publicly known exploit. How reliable is that exploit… how does that exploit work?

A: We do not comment on the reliability or mechanics of public exploit code. We strongly recommend customers apply this patch to their systems.


Q: Most of the security bulletins replace earlier releases… are these areas being repeatedly exploited and does Microsoft need to patch every time?

A: When a security update replaces an existing update, you will only need to install the latest update for that component to insure that you are secure.   Microsoft Updates address vulnerabilities in such a way that our customers have protection from software vulnerabilities.


Q: MS08-061 has in its “known issues” section that you may get offered this update twice on a XP Service Pack (SP)3 machine. Is this only for some XP SP3 systems and is there a list of known trigger events or conditions that cause the patch to be reoffered again before you are fully patched?  See

A: This should only occur on systems where the SP3 installation has failed, or SP3 has installed and subsequently removed.  This leaves the win32k.sys component in an unsigned state.  If an unsigned win32k.sys component is detected, this update will detect the file, correct the component, and then exit.  After this occurs, the package is re-offered to the system.


Q: For the Elevation of Privilege (EOP), does the user require credentials of his own to exploit the vulnerability

A: Yes, for both local EOP vulnerabilities an attacker must have legitimate credentials to log on-to a system and then use the vulnerability to elevate their privileges to SYSTEM level rights


Q: Why doesn’t MS08-059 apply to Microsoft Host Integration Server (HIS) 2000 Service Pack 1 (server), HIS 2000 SP1 (client), and HIS 2000 (client)?  Is it because they are not vulnerable or because they are no longer supported by Microsoft?

A: It is because these are no longer supported releases. Please see the Microsoft Support Lifecycle pages at


Q: Does Microsoft Host Integration Server have an associated executable?

A: The files associated with this fix are Hisservicelib.dll, RPCDetect.dll and SNArpcsv.exe.  This information is also available in KB956695.


Q: We are seeing the Exploitability Index probably for the first time, would like to know the motive behind sharing this information and how one can make use of this data…

A: Christopher Budd covered this during the slide presentation, however,  there are several online documents, one being a “how to” and the second being a “Frequently Asked Questions” that are available from the “Exploitability Index” link within this month’s summary bulletin.


Q: Are there any more surprises with the Office patches this month? We have had a number of issues with dealing with unpredictable actions from Office after deployment.

A: We are not aware of any issues with this bulletin. If you’re experiencing behavior not discussed in the security bulletin, please contact our support teams using the information at .


Q: I noticed the standalone viewer patch for the Access Snapshot Viewer (MS08-041) was also released with the October bulletin release. Will that be delivered by Windows Update?

A: The standalone viewer is only on the download site.


Q: What open shares on DCs need to be open

A: For the Server Message Block (SMB) bulletin MS08-063. Any open shares on a DC that allow authenticated users to write to that share will expose that system to the SMB vulnerability.


Q: Can you add the Security Advisory to the supercedence grid for future webcasts?

A: Where that makes sense, yes, we can do that.


Q: Is there are reason why the Kill Bits update (956391) was released as an advisory instead of a security bulletin as MS08-032 was?

A: Microsoft is releasing this Cumulative Security Update of ActiveX Kill Bits with an advisory because the new kill bits either do not affect Microsoft software, or had been previously set in a Microsoft Security Bulletin.


Q: MS08-063 requires an authenticated account, if the guest account is enabled would this exploit work?

A: Yes, if the guest accounts are enabled in an enterprise environment then this vulnerability is exposed to attackers with only guest privileges as well.


Q: In the KB article, what changes are made when applying MS08-056 on a Window Server 2003 SP1 and SP2 with Office XP SP3? The 3 registry keys mentioned in KB 956464 were not removed.

A: The update was designed to remove the registry keys for these protocols. If you believe this is not happening we recommend you log a support call and we can investigate further.


Q: The new Aggregate Severity and Exploitability Index Rating is a good idea, but would it be possible to have a master page that is kept up to date with all bulletins that have been rated, similar to the security bulletin search page? This would greatly assist in deployment of new systems so critical patches can be included in images/deployment scripts.

A: Thank you very much for the suggestion. We will take it under consideration.


Q: MS08-063 appears to be exploitable by authenticated users connecting to Domain Controllers and being able to take full control of them. Is this true? If so, why is the severity rating not higher?

A: The SMB vulnerability has some mitigation: this is intranet only (enterprise customers); does require authentication; does require SMB. On Active Directory (AD) SMB is default, however the vulnerability also requires open shares on the AD servers that allows low privilege authentication with write access to the open share.

Q: Did MS08-058 disable error reporting for Internet Explorer (IE) 7 crashes under Vista SP1?  I have needed to terminate IE due to hangs 3-5 times since installing MS08-058 and I am not being prompted to send error reports to Microsoft.

A: No, the IE updates do not disable Error Reporting. We would recommend contacting product support at 866-PCSafety if you believe you are having a problem with one of the bulletins.