Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Senior Security Program Manager Lead
Chat Topic: June 2009 Security Bulletin
Date: Wednesday, June 10, 2009
Q: For security update for Microsoft Excel 2000 (KB969683), is Microsoft Office Excel 2000 Service Pack 3 the only version that is vulnerable, or is that the only version of Office that is supported and therefore the only one that the security update will work for?
A: Excel 2000 Service Pack 3 is the only supported version of Excel 2000 and therefore the only one that the security will work for. This is also true for Excel 2002 SP3 and Excel 2003 SP3. For a complete list of affected products and the required service pack levels, see the security bulletin MS09-021.
Q: If the security update is for Windows Server 2003 SP2, but systems are still on SP1, will the security update still apply? And, will systems on SP1 accept the update installation?
A: Windows Server 2003 SP1 has fallen out of mainstream support, updating Windows Server 2003 SP1 systems with a Windows Server 2003 SP2 update is NOT a supported scenario. Microsoft recommends that customers who currently using Windows Server 2003 SP1 systems upgrade to the mainstream supported Windows Server 2003 SP2 platform.
Q: Regarding MS09-018: is there a specific executable I should be looking for in my environment?
A: Microsoft is not aware of active exploits or Proof of Concept (PoC) attack measures used against the vulnerability addressed in the Active Directory bulletin. As such, we are not aware of any specific executables or attack tools for that matter that exploit the vulnerabilities in the Active Directory bulletin.
Q: Why do none of the Office security updates specifically mention OWC (Office Web Components)? Some of our web servers ONLY have OWC installed … not the rest of Office.
A: Great question. Office Web Components are generally not affected by Office file format vulnerabilities and therefore are not affected by any vulnerability fixed during this security update cycle. Unfortunately, Microsoft does not list all of the products that are not affected because this list would likely be too long to be useful.
Q: Concerning Vista users who are logged in as a local administrator but have (User Access Control) UAC fully enabled: if an attack is executed that runs as the logged-in user, and the attack attempts to exploit system resources, will the UAC prompt be triggered?
A: UAC diminishes privileges for user accounts in the Administrators group that are not the local ‘Administrator’ user. So, for example if you have user ‘Bob’ that is in the Administrators group, then if UAC is enabled, you will see a UAC prompt for any admin task that is being attempted with this identity.
Q: Can you go into greater detail on how exactly a system is vulnerable to MS09-022? Is the concern with client workstations or print servers?
A: The issue affects print servers. Regarding CVE-2009-0028, for remote code execution to occur, an attacker would first need to set up a malicious print server that can be accessed by an affected system. The attacker could then send a specially crafted RPC request to the affected system that would cause the affected system to improperly parse the ShareName on the attacker’s print server during enumeration. This would allow the attacker to perform remote code execution on the affected system (a print server) with system-level privileges.
Q: Is MS09-026 rated Important because it requires authentication or are there any more mitigating factors to reduce the severity?
A: The severity rating is based on the fact that no Microsoft product is known to be vulnerable to this issue. Only 3rd-party RPC applications are affected. Depending on the 3rd-party application, authentication may or may not be required.
Q: I use Configuration Manager to deploy all my security updates yet these updates are still not showing up under the software updates container in Configuration Manager. Do you know when that takes place?
A: Please make sure that you have the latest version of WSUSSCN2.cab downloaded to cfgmanager. This will give you all the latest update deployment information. For specific deployment questions we recommend you open a support request with Microsoft’s Customer Service and Support (CSS) or work with your respective technical account manager.
Again, to contact CSS, please call 866 PC SAFETY. If you are outside the US or Canada, please visit: http://support.microsoft.com/common/international.aspx
Q: Are any of the security updates released this month included in Windows Vista/Windows Server 2008 Service Pack 2?
A: No. Any of the Windows related updates where Windows Vista SP2 and/or Windows Server 2008 SP 2 are not affected are based on code changes prior to SP2’s release.
Q: Is there an easy way to disable vulnerabilities of users who use remote desktop access software? Basically, I have a situation where I am trying to STOP summer help (e.g., summer intern) from exploiting a user client computer?
A: You can use software restriction policies to help prevent users from running undesired applications. You can find more information about this at http://technet.microsoft.com/en-us/library/bb457006.aspx (can also find this by “Binging” Using Software Restriction Policies to Protect Against Unauthorized Software)
Q: Has Microsoft deployed all these security updates internally?
A: Microsoft IT tests and deploys all security updates internally in order to validate the quality of updates. Testing and deploying updates internally allows us to ensure the quality of updates as well as share the same user experience that customers experience. From there, many Microsoft users use Microsoft Update or Automatic Updates to update their PCs
Q: Is there any way to get feedback from the MSRT tool to know if any of the clients in my domain had malware removed? (i.e. does it create a log entry I should look for or something like that?)
A: The MSRT tool is not meant to be a replacement for a full anti-malware solution, as the MSRT only assists in removing the most prevalent known malware on systems that do not yet have an antimalware product installed. Further, and to answer your question, the MSRT does not provide any means for central reporting or configuration in an enterprise environment. It is highly recommended that customers install a full-scale anti-malware solution to allow for proper reporting and customization.
Q: Have others reported problems compiling known good VBA code after installing the update published with MS09-021 for Office XP?
A: No, we have not heard reports of any known issues of this type. Please open a case with Customer Service and Support (CSS) if you having problems.
Q: Interested in knowing if there are any “in the wild” Exploits
A: No. Microsoft had not received any information to indicate that any of these vulnerabilities had been publicly used to attack customers and we had not seen any examples of proof of concept code published when these security bulletins were originally issued.
Q: Are this month’s vulnerabilities considered more urgent than normal, in other words are they comparable to out of band updates?
A: The urgency of all bulletins can be judged by the bulletin severity and the exploitability index rating. This will be specific to your environment.
Q: Why have ActiveX Killbits been removed from Internet Explorer Cumulative updates? In past security webcasts you indicated that killbits would be included in future Internet Explorer Cumulative updates. These additional patches require additional admin overhead to test and deploy.
A: ActiveX Killbits are not a specific update for Internet Explorer. Internet Explorer, along with other Microsoft products, honors the list which blocks loading ActiveX controls – both from Microsoft and 3rd parties. By splitting out the ActiveX Killbits, it allows Microsoft to release updates quickly as they require less testing than source code changes which would be required if part of the Cumulative Security update for Internet Explorer.
Q: Microsoft Security Advisory 971888 is still not published (24 hours after advisory release) on the KB at http://support.microsoft.com/kb/957579. Please fix this ASAP, and ensure future Bulletins and Advisories related KB articles are also available at the same time of (or earlier) than release.
A: The advisory was released at the following location: http://www.microsoft.com/technet/security/advisory/971888.mspx
Q: If someone were to exploit MS09-019 and you were running Internet Explorer in protected mode, would this help prevent this attack or grant the attacker less privilege over the target
A: Protected Mode, where applicable, can help restrict what an attacker can do on an exploited system. For more information regarding Protected Mode, visit http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx.
Q: Do we need to install the office security patches in the computers which do not have Microsoft office (for example servers)?
A: If you are running Microsoft Office 2007 Viewer or Microsoft Office 2003 Viewers you will need to install the corresponding Microsoft Office Update. Windows Server Update Services WSUS or Microsoft Baseline Security Analyzer (MBSA) can be used to scan for updates that apply to your machine. Often times it is a good idea to use a tool such as MBSA to determine which updates need to be installed on Server Systems before updates are applied. More information on Microsoft Baseline Security Analyzer can be found at http://www.microsoft.com/mbsa.
Q: Regarding MS09-025, would UAC block the specially crafted application from doing what it needs to do to get kernel mode access?
A: In the case of the issues addressed in this bulletin, a UAC prompt would most likely not be generated during an exploit attempt.
Q: Is the hotfix for Security Advisory 971888 available for distribution via WSUS?
A: The updates that are offered in the DNS devolution Security Advisory 971888 are available via the download center and can be distributed via traditional deployment mechanisms. Windows Server Update Services WSUS, System Management Server (SMS), and the System Center Configuration Manager SCCM can all be used to deploy the updates offered in the advisory
Q: Do any of these exploits or vulnerabilities addressed this month have the capability of being made automated and wormable?
A: MS09-026 may be exploited in a remote, unauthenticated manner if the 3rd-party application is vulnerable in this configuration. We are not aware of any such 3rd-party application that would allow this.
Q: Regarding MS09-026, is there any known 3rd party boxed software that uses the vulnerable RPC code?
A: Microsoft is not aware of any 3rd-party software that exhibits this issue.
Q: How are security advisories different from security bulletins?
A: Microsoft Security Bulletins provide information and guidance about updates that are available to address software vulnerabilities that may exist in Microsoft products. With each security bulletin that is released, there is an associated software update available for the affected product. Microsoft Security Advisories are meant to give customers detailed information and guidance on a variety of security-related issues that may not be specifically tied to a software update. For example, an advisory may detail Microsoft software updates that might not address a security vulnerability in the software, but that may introduce changes to the behavior of the product or that introduces new functionality designed to help protect customers from attack.
Q: Why does Security Advisory 969898 not have a security rating associated with it?
A: This update contains a kill bit for an update released previously in a service pack as well as kill bits for third-party controls not owned by Microsoft. Microsoft does not provide a security rating for service packs or vulnerable third-party controls.
Q: Certain legacy file types were blocked by previous Office updates or service packs. If access to those file types has been subsequently un-blocked using the Microsoft documented registry changes will any of these new Office related patches attempt to restore the original file type blocking?
A: No, recent Office patches will not attempt to restore the original file blocking. Some older Office patches contain a bug that inadvertently reverted some file type associations to the SP3 setting. This bug was fixed in hotfix KB967054, and security updates released in 2009 are not affected by the issue. Current patches will not change file block settings.