Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Senior Security Program Manager
Chat Topic: May 2009 Security Bulletin
Date: Wednesday, May 13, 2009
Q: Has there been any reports of KB958690 causing blue screens? We have heard some info on the web and were curious if you have heard anything.
A: Microsoft is currently not aware of any issues that may cause a system to lock up as a result of installing the MS09-006 security update (KB958690) which updates the Windows Kernel. If you are experiencing any such issues we recommend contacting Microsoft product support services, either through your support contact or at +1 (866) PC-SAFETY in the US or Canada. They will be able to assist you in addressing the root cause. If any reproducible issues are identified as part of such an investigation, we will take appropriate action which may include revising the security update and the associated Knowledge Based (KB) article accordingly.
A: KB951847 is a .NET Framework 3.5 Service Pack and not a security update. KB954459 is MS08-069 and is for Microsoft XML Core Services and these are not tied together. We have not seen cases on this, but you may wish to open a support case to have an engineer validate the issue and help determine root cause.
Q: The Microsoft Baseline Security Analyzer (MBSA) is not detecting when MS09-017 for Microsoft Office 2003 is installed. Is this a problem with the patch or the MBSA?
A: Currently there are no known issues with the detection as it pertains to MBSA for the MS09-017. If you are having problems with the detection of this update please contact CSS 1866-PC-SAFTY for support regarding MBAS 2.1. Also note that the minimum service pack level for Office 2003 that MBSA will detect is SP3.
Q: There is a website: http://support.microsoft.com/default.aspx?scid=fh;[ln];lifesupsps that shows the end dates of updates/support for Service packs. However this website is not up to date for example, Office 2007 Service Pack 2 isn’t listed as active right now (it isn’t on the page). THUS there is no end date in the office 2007 Service Pack 1 block; when will this update and is this the correct website to be checking for updates?
A: Yes, you can use either the website you provided or http://www.microsoft.com/lifecycle . Thank you for pointing that out; we will inform the Office Service Pack to get the information updated.
Q: Does this vulnerability affect Microsoft Office 2003 Service Pack 2 as well?
A: Microsoft Office 2003 Service Pack 2 is no longer in support. Microsoft recommends that you upgrade to Office 2003 SP3.
Q: If macro security is set to high through Group Policy Objects (GPO) for PowerPoint, does this mitigate the risk of exploit code running on the machine?
A: None of these vulnerabilities relate to the parsing of macros in PowerPoint. As such, disabling macros, while valid security mitigation by itself, does not protect against exploitation of any of these vulnerabilities. If you are reviewing the deployment of mitigation across your network, we recommend reviewing the mitigations described in the bulletin, such as deploying Microsoft Office Isolated Conversion Environment (MOICE) and the Office File Block Policy to protect systems.
Q: Are there any security scanning tools to support Microsoft software installed on the Apple platform (for those of us who are both; I’m a PC and I’m a Mac, too)?
A: Microsoft offers no enterprise detection and deployment tools for Microsoft products installed on Macintosh; however the Microsoft Office products for the Mac platform DO contain an auto-updating feature, so they do have the ability to auto-update.
Q: Will MBSA detect the PowerPoint vulnerability on PowerPoint 2003 Service Pack 2?
A: No, MBSA will look for the in support versions of Microsoft Office 2003. At this time only Microsoft Office 2003 Service Pack 3 is in support.
Q: What is the latest version of the MBSA cab file?
A: The MBSA cab file (wsusscn2.cab) is released on Update Tuesday along with the security updates that are issued for each month. The most current wsusscn2.cab file was digitally signed on May 11, 2009.
Q: Moving from Windows Update (WU) to Microsoft Update (MU)… Did anything change that would prevent systems from registering with Windows Update?
A: Not sure what is meant by “registering with Windows Update” so we’ll try to answer what we think you mean. You need to “Opt in” to “Microsoft Update”, and once this is done, the system will use Microsoft Update instead of Windows Update. That said, both services leverage “Windows Genuine Advantage (WGA)” and there were some recent WGA changes – though WGA still does not “Opt” you out or in of using MU. At the end of the day, the “Opt-in” should be a 1 time step.
Q: How often does Microsoft release SQL Server 2005 Security Updates?
A: Microsoft typically releases security updates on a monthly basis, on the second Tuesday of each month (Wednesday in some countries). Security updates for SQL Server are released when, among other criteria:
1) Security issues are reported and resolved that affect the product in a way that matches our definition of a vulnerability (http://www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx?mfr=true ),
2) Does not breach one of our ten immutable laws of security (http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx)
3) Exposes our customers to risk.
As such, an update for SQL server can be released during each monthly release cycle, depending on whether or not vulnerability is found and its fix is available for release on that date.
Q: The monthly junk email filter seems to always release on WSUS, but not necessarily on update Tuesday – what is the schedule for this or is random?
A: Microsoft Office did not release a Junk Email Filter with these security updates like they normally do. The Junk Email Filters were released during the Office 2007 Service Pack 2 timeframe. Office will be going back to our normal release schedule next month on Update Tuesday.
Q: Does Microsoft have a converter to upgrade PowerPoint 4.x and older presentations to a supported format? Our HR department has many legacy files that are still used.
A: Unfortunately we don’t have an automated tool to do the conversion. You can use PPT 2000, 2002, or 2003 to convert the files into a newer format.
Q: When supporting the Office Compatibility Pack (FileFormatConverters.exe 2007 file format for older Office ) as a new deployment do we install Service Pack 1 compatibilitypacksp1-kb940289-fullfile-en-us.exe then SP2 compatibilitypacksp2-kb953331-fullfile-en-us.exe then MS09-017 office2007-kb969618-fullfile-x86-glb.exe?
A: When deploying the Office Compatibility Pack or any Office product, it is only necessary to install one service pack. All Office Service Packs install successfully regardless of other installed service packs or patches. The fastest deployment sequence is to install the product, then install SP2, then install MS09-017. Also, when deploying full Office products and servers, you can modify the product image by adding patches to the “Updates” folder, and these updates will be installed during initial product setup for a single setup operation that brings you to a fully-patched state. Unfortunately, I believe the compatibility pack does not have this feature. We are in the process of updating our KB article about general Office 2007 patching behaviors to cover this exact scenario.