Register now for the January 2009
Hosts: Christopher Budd, Security Response Communications Lead
Adrian Stone, Lead Security Program Manager (MSRC)
Chat Topic: December 2008 Security Bulletin
Date: Wednesday, December 10, 2008
Q: SANS reported a 0 day not patched in MS08-073; can we anticipate another “out of band” patch if and when Microsoft confirms the vulnerability?
A: Investigations are currently underway and once we understand the vulnerability, Microsoft will take actions to protect our customers; whether it be through an out-of-band release or normal release process for security fixes
Q: Are there any plans to make MS Dynamics CRM v4 updates available via SMS 2003 ITMU catalog?
A: The latest versions of Dynamics are fully supported on Microsoft Update (MU) which provides support in SMS 2003 – but only when there is a security update, service pack or rollup for the Dynamics product.
Q: I ran the installer on MUI with Traditional Chinese language pack, but the installer, when run manually, gives an error saying that no applicable software was found.
A: Please open a support incident through Customer Service and Support (CSS) by calling +1 (866) PC-SAFETY (+1 (866) 727-2338) in the U.S. and Canada, or at your local international subsidiary at <http://support.microsoft.com/common/international.aspx> to help us debug this issue.
Q: Recent MBSA 2.1 scans of XP SP2 and SP3 systems are not listing MS08-037 as installed in the verified list of updates, as well as MSRT v2.5 (Dec 2008). Is this a problem with the latest Wsusscn2.cab?
A: There is no known problem with the WSUSSCN2.CAB file and MS08-037 should be seen as potentially vulnerable IF DNS is enabled on the machine – otherwise, MBSA would be correct to report that there are no MS08-037 vulnerabilities. MS08-037 certainly applies to both Win XP SP2 and SP3, so my first concern would be to verify that it has been installed. We are not aware of any detection issues with the Cab file used by Windows Server Update Services (WSUS), so if you believe that you have identified an issue please call into support. The MSRT has been re-staged to address a False Positive (FP) issue, and this may account to this oddity.
Q: In KB957388 the Vista/server application compatibility update, it indicates that Internet Explorer has been updated to fix compatibility issues. Is there a file listing noting the changes?
A: This is not a security release, and this security experts panel isn’t authoritative for non-security items, sorry.
Q: For those with the Win2000 DST Extended Hotfix Support Program are there any new releases to parallel with the KB955839 update?
A: This is not a security release, and this security experts panel isn’t authoritative for non-security items, sorry
Q: Why are some of the critical updates not available via Windows Update?
A: Not all older versions of software are supported on WU; please refer to the bulletin for details on this support.
A: Visual Basic 6.0, Visual Studio .NET 2002 and Visual Studio .NET 2003, and Visual FoxPro are “legacy” products which were not built and designed to support newer deployment channels such as MU and WSUS. The newer product versions such as Visual Studio 2005 and Visual Studio 2008 do support updates via MU and WSUS. We recommend customers move up to the latest version of the Visual Studio development platform in order to enjoy the features and other benefits such as updates via MU/WSUS that are available for the newer versions.
Q: Is redistributing the affected VB6 application the only way to mitigate it? Is there a patch that you can apply directly to the workstation that has the “bad” ActiveX control previously put down by an affected VB6 app?
A: The updates provided with security bulletin MS08-070 correspond to the Microsoft products that redistribute these ActiveX controls. Microsoft does not provide updates for third party applications that may have redistributed these ActiveX controls and the guidance we provide for customers is to contact the vendors that developed any third party application using these controls. That being said there is a mitigation in the form of a killbit that is documented in the security bulletin and customers have the option of deploying a killbit to all desktops in the enterprise that may have any of the affected controls while they wait for the ISV or third party solution provider to provide an update for their application. The killbit may have unexpected impact on third party applications that use these controls in browser based scenarios so you should carefully analyze the possible impact on such applications before deploying a killbit.
A: While Windows Update provides you with updates specifically for Windows, Microsoft Update expands the service to download and install updates for other Microsoft software, such as Microsoft Office and Windows Live.
Part 2: Both apply to the same products Windows Media Format 9.0, 9.5 and 11 per the KB? Please consider adding the -SP3 to the SP3 only binary if possible to reduce confusion.
A: The file versioning method for Format Runtime v9 changed for XP SP3 from XP SP2 which required separate packages to service.
A: Thank you for your feedback. We look into this for future releases
A: This should be fixed very shortly (next few hours)
Q: Why are some of the critical updates not available via Windows Update?
A: All critical updates for Windows are available on Windows Update. It is important to opt-into Microsoft Update to obtain all updates for Windows and all Microsoft products – including Office, SQL Server and others.
Q: In a statement, the company said it was investigating the flaw made public by Knownsec but did not say whether it expected to patch the bug on Tuesday.” Will this IE attack be addressed?
A: Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer. We will take steps to determine how customers can protect themselves should we confirm the vulnerability.
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
Q: For MS08-070. Why are there installers for all Languages when they indicate that the update only applies to Chinese and Korean?
A: The various languages of installer reflect only the language of the installer’s User Interface (UI). Any language of installer will update any language of Office.
Q: Have there been any reported issues as far as once servers are rebooted that they would not open correctly and have to remove all or one of the updates.
A: We continue to monitor post release issues, however at this time we have not confirmed or attributed server reboot problems to the updates released in this month’s security release
Q: On MS08-070, can you give us any clues/authoritative info so that we can check if we have impacted applications to go to our vendors? Some of my vendors are clueless. Should I scan my computer for those CSLIDs or something?
A: Microsoft provides an Enterprise Scan Tool (EST) for users that need a means to identify the presence of these ActiveX controls installed by a Microsoft product which redistributes these controls and some Microsoft Office products are also supported by the Office Detection Tool (ODT).
The ActiveX controls are redistributable which means third party solution providers or ISVs can include one or more of the controls in their own application and ship the control as part of that application. Microsoft cannot provide detection tools for such third party applications, but does provide guidance in the bulletin for customers that use such third party apps and for ISVs that use and redistribute these controls with their applications. Customers can detect for the presence of such controls by scanning the file system using SMS or other means to inventory the files installed on a desktop and use that as a basis to determine which ISVs might need to be contacted for updated versions of their packages.
Additionally you can scan the registry and detect the CLSIDs for these controls but that is generally only an indicator about the presence of the ActiveX control on the machine, but doesn’t provide information regarding multiple products (or versions) that might have installed the same control because with ActiveX control registration the last registered control “wins” i.e. shows up in the registry.
Q: On November 26 we had a number of non-Critical non-Security related patches released to our WSUS server from Microsoft. If these are non-critical, why are they released outside of the Patch Tuesday cycle?
A: Important updates that are not security related are targeted for days outside of our regular security bulletin release day specifically because they are not security related.
Q: Just saw the bulletin for the re-release of some older patches. Bulletins were updated but did not read them yet. Will the patches need to be re-released or were the changes “cosmetic”
A: These bulletins, MS07-017 and MS05-053, were revised to communicate the availability of an updated version of the Windows Server 2003 update package. The updates were revised to address minor issues unrelated to the stability of the update or security of the intended target systems. Customers who have already successfully applied the updates need not take any action.
Q: Can you confirm that MS08-075 does NOT affect the Windows XP add-ons Windows Desktop Search 3.01 or Windows Search 4.0?
A: Windows Search 3 and 4 for Windows XP are not affected by the issues addressed in MS08-075