Monthly Security Bulletin Webcast Q&A – February 2009

Register now for the March 2009 Security Bulletin Webcast


Security Bulletin Webcast Q&A Index


Hosts:                        Christopher Budd, Security Response Communications Lead

                                     Adrian Stone, Sr. Security Program Manager Lead (MSRC)

Website:             TechNet/security

Chat Topic:         February 2009 Security Bulletin
Date:                   Wednesday, February 11, 2009


Q: Why are there no updates for Internet Explorer versions prior to Internet Explorer 7?

A: The vulnerabilities addressed in MS09-002 are not applicable to earlier versions of Internet Explorer.


Q: Would an exploit of MS09-002 bypass User Account Controls on Vista or Windows Server 2008 or would a user be alerted of any attempt to access elements of the operating system protected by User Account Control alerts?

A: If Internet Explorer is running in Protected Mode on those platforms User Account Controls will alert the user for attempts to access User Account Controls protected elements.


Q: What is TNEF?

A: Transport Neutral Encapsulation (TNEF) is a format used by the Microsoft Exchange Server when sending messages formatted as Rich Text Format (RTF). When Microsoft Exchange is sending a message to another Microsoft e-mail client, it extracts all the formatting information and encodes it in a special TNEF block. It then sends the message in two parts: the text message with the formatting removed, and the formatting instructions in the TNEF block. On the receiving side, a Microsoft e-mail client processes the TNEF block and re-formats the message.


Q: Exchange 2003 Service Pack 1 recently went out of supported status. Can MS09-003 be installed on an Exchange 2003 Service Pack 1 server or does Service Pack 2 need to be installed?

A: Service Pack 2 and the security update (MS09-003) should be installed.


Q: Is Security Advisory 956391 Cumulative Security Update of ActiveX Killbits required, and if so why isn’t Microsoft Baseline Security Analyzer (MBSA) detecting this?

A: Installing KB960715 has all the previous killbits that have been released including Security Advisory 956391 that was released in October


Q: Are there any Microsoft Knowledgebase articles for how to disable TNEF (Transport Neutral Encapsulation Format) encoded messages in Microsoft Exchange?

A: No, there is no way to completely block TNEF messages. Doing so would make Exchange unusable.


Q: Regarding the SQL patches…generally there are different patches depending on which version of SQL and even if they are MSDE (MS Data Engine) versions, and some had to be patched by the application vendor. Is that the case for this one?

A: Any third party who redistributes MSDE and uses the provided installer need not take any action to service the instance – our regular servicing mechanisms will discover and update it.  If however they use their own custom installer instead we can make no claims regarding whether we are able to service it.


Q: Is MS09-005 required for Visio 2003 Services Pack 1?

A: Visio 2003 Service Pack 1 is out of support. Please install Visio 2003 Service Pack 3 and the security update MS09-005


Q: Is SQL 2000 Service Pack 3 affected?

A: Per, SQL 2000 SP3a went out of support in 2007.


Q: In MS09-004, the SQL patch, you say this is uninstallable, but your bulletin says that to uninstall it on servers running MDE, MDE will have to be uninstalled and reinstalled. Can you clarify that?

A: The Bulletin is the correct source for the removal information for the SQL Bulletin: Removing the WMSDE update will completely remove WMSDE from the system. This is documented in the Known Issues KB, Thus, WMSDE will have to be reinstalled on the system for continued use until Microsoft addresses this uninstallation issue in future releases.


Q:  Is this a correct summary of Killbit patching: Microsoft products will ALWAYS result in new Cumulative Security Update of ActiveX Killbits via a bulletin.

A: Microsoft will release a killbit for a vulnerable Microsoft ActiveX control, this could be released via a security bulletin or advisory. An advisory will be released if the vulnerable Microsoft control has been previously updated in a Microsoft Security Bulletin. If Microsoft is ONLY releasing 3rd Party killbits we will ship these as an advisory.


Q: Is Microsoft aware of any exploit code in the wild for MS09-003?

A: No


Q: Why is the Active X Killbits update not contained within the February Security Bulletin?

A: If I understand the question correctly and you are asking if this means “Why are the killbits not in the Internet Explorer update (MS09-002)?” Answer: We removed the killbits from the Internet Explorer so that we can deploy killbits quicker than required. Note: Killbits are only a registry change.


Q: Exchange server vulnerability was originally discovered on Cisco Unity server. Do you know when to expect Cisco update that includes patched version?

A: No, Please contact Cisco.


Q: Can you please re-play the KB articles that the current bulletins replace?


Q: I receive quite a bit of the security bulletin in my inbox, but I don’t take much action…. Most items I see do not affect me. Should I act on them, anyway? However, I do install my updates regularly. Is that enough?

A: For the most part on a consumer system this is true, but “Risk Assessment” would say “it is not enough”.  For Microsoft updates, it is enough to run the scan on Microsoft Update in most cases, but there is a potential for exceptions.  This is also true of many 3rd party applications and services, as any could lead to a compromise. You really should be aware of what software your systems are running, and monitor for updates.


Q: MS09-004 replaces MS08-040.  Was it the same stored procedure that was affected?

A: The bulletins affect different parts of the product.  Due to the cumulative nature of updates, later ones will, in general, supersede earlier ones.


Q: If you install MS09-003 how does that impact the Interim updates for Exchange 2007? Will you need a post MS09-003 Interim update?

A: The details in the question do not provide enough information to provide a correct answer. If you are unsure please contact support who can help you out.


Q: Why is MS09-005 rated as Important even though it is a remote code execution vulnerability and looks like any other MS Office vulnerability

A: The vulnerability cannot be exploited automatically. For an attack to be successful, a user must open an attachment that is sent in an e-mail message. The attacker would have to convince the user to open the attachment in order to exploit the vulnerability.


Q: We still have production machines limited to IE6. For MS09-002, do you need to run the patch after IE7 has been applied?

A: Internet Explorer 7 ships with a feature called Dynamic Update which when enabled will automatically install the latest security updates during Internet Explorer 7 installation.  Users need to select the “Install Updates” setup setting to enable Dynamic Update.  Otherwise, users will be offered the update once Internet Explorer 7 is installed.


Q: The Exchange bulletin is not showing up on  MSUS on Exchange Server2007 that does not have Service Pack 1 installed. If sp1 is not installed, is it not affected?

A: Exchange 2007 RTM is no longer supported. Support for this product finished 1/13/2009. We suggest you install SP1 AND this security update.


Q: Regarding MS09-004, did I hear the speaker say the attacker must already have an ID on the database?

A: Yes.  In order to be able to invoke the vulnerable stored procedure, you must first successfully authenticate and connect to the SQL instance.


Q: Are you aware of any public exploits for any of the 4 Bulletins released this month?

A: At the time of release, Microsoft is not aware of public exploits for any of the security vulnerabilities disclosed in our 4 Bulletins released this month. However, the SQL release, MS09-004, does have public proof-of-concept code posted. When that PoC was posted, Microsoft issued Security Advisory 961040 which MS09-004 now addresses.


Q: I do not understand Kill Bit patching requirements for XP Service Pack 3 Internet Explorer 6. Please explain why MBSA 2.1 indicates Internet Explorer subsystem is fully patched with only these patches: MS08-073 and Security Advisory 960715.

A: Internet Explorer is fully patched with MS08-073 and MS08-078.


Q: For MS09-002 – The website says this also replaces MS08-073 and MS08-078.  Is this correct that it also replaces the out of band release?

A: The Internet Explorer patch is a Cumulative update and replaces both MS08-073 and MS08-078.


Q: Are TNEF messages common.  By disabling it – would that typically cause a lot of problems?

A: Disabling TNEF would make Exchange to become unusable.


Q: Are Malicious Software Removal Tools updates cumulative?

A: Yes – MSRT is cumulative.


Q: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86…what is this?

A: These are non-security updates and outside the scope this call, sorry.


Q: Some Office components have some SQL functions. Will MBSA detect any such components that are affected by MS09-004?

A: The MBSA will detect any of the affected SQL flavors.  It should not matter if the product came bundled.


Q: MS09-005 – Visio I have read that this patch only affects service pack 3 is this true? We use MBSA to scan and it’s not showing vulnerabilities on our systems…we have Service Pack 2

A: Visio 2003 Service Pack 3 is affected and requires the update. Visio 2003 Service Pack 2 is not supported for security updates.


Q: In this URL there are General Distribution Release (GDR) and (Quick Fix Engineering (QFE) versions of the patch. How do I determine which one to download?

A: The Bulletin answers this in the “There are both GDR and QFE updates offered for my version of SQL. How do I know which update to use?” FAQ: It is important to note that customers using Microsoft Update (MU) will be offered the correct update package and that offering from MU will sync with the information provided in the table


Q: Compared to XP, what is occurring at these stages and what would be the result if it was interrupted (power failure, hardware problem, etc.)?

A: Windows Vista and newer system have a new base install technology called “Component-Based Servicing” Also known as the trusted installer.  The other updating technologies, such as MSI, plug into this.  There are different staging activities that occur during the installation of a package:

·         Identify any files that are missing from the package. For a file to be installed, it must first be staged. Some may already present in the system store, others may need to be transferred from installation media or downloaded from network locations

·         Determine which files are required to install a package and identify files in other packages that may also be required

·         Resolve dependencies and ensure that all required files are present before installation begins

·         Complete installation

If there is a failure during installation of a component, CSI rolls back the entire installation. If a file or process is in use during a component installation and cannot be replaced, generic commands and advanced installer actions are written to %windir%\WinSXS\Pending.xml, and then written to disk on the following reboot. If several packages are installed at the same time, each additional package appends to Pending.xml. Additional logging during this phase occurs in %windir%\Logs\CBS\CBS.log.


Q: Is there a vulnerable component of MS09-004 installed on each desktop? Or does it just apply to SQL Server on server machines only?

A: Windows Server 2003 and 2008 ship with versions of SQL Server as in-band components part of the operating system. These are listed in the Bulletin as Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) and updates are provided to both operating systems based off of the component that are applicable.


Q: There are still Exchange 2003 versions in support. But exchange 2007 NON SP isn’t. Why that Exchange 2007 is is still newer so why would it be out of the support cycle?

A: Exchange 2003 SP2 is supported not the RTM original version of that product.  Exchange 2007 RTM went out of support on 13-Jan-2009

 -SP1 is the currently supported version of that product.  Note support ends 12 months after the next service pack releases or at the end of the product’s support lifecycle, whichever comes first.


Q: After updating to SQL Server 2005 SP3 is there a way to verify successful installation of the service pack?  It does not appear in Add/Remove Programs.

A: Verify that the version is 9.00.4035 (see the download page at  Installing a service pack does not affect the existing ARP entry for that SQL Server instance.


Q: Please provide a list of popular services that use WYUKON (Windows Internal Database).

A: At this time we do not have a full list of services that use WYukon.  Some available services that do use WYukon are: Windows SharePoint Services, Windows Server Update Services, Active Directory Rights Management Services, & UDDI Services. It is important to note that the security update will apply to all instances of WYukon on an affected system.


Q: Security Update KB953252/950582 for Windows XP was not deployable in Windows Server Update Service (WSUS). Why has Microsoft chosen not to make this Security Update deployable in a normal means?

A: KB950582 was not released as a Security Update for XP and was released to Download Center only.  A revised update is in the works which will be made available on Windows Update (WU) / WSUS