Monthly Security Bulletin Webcast Q&A – August 2009

Hosts:             Adrian Stone, Senior Security Program Manager Lead

                        Jerry Bryant, Senior Security Program Manager Lead

Website:         TechNet/security

Chat Topic:    August 2009 Security Bulletin
Date:              Wednesday, August 11, 2009


Q:  Regarding the re-release of MS09-029.  Why it was re-released?  Is it recommended to install?

A: This update was re-released to correct an issue affecting the print spooler in certain circumstances.  It is recommended that this update be re-installed on Windows 2000, Windows XP, and Windows Server 2003 platforms (if you experienced the issues described).


Q: Are there implications in MS09-041 for RPC over HTTPS used in Microsoft Outlook Anywhere?

A: No, there should be no implications for Outlook Anywhere related to this update.


Q: KB968389 was listed as a critical update from within Windows Server Update Service (WSUS).  However, the article states that it is a “security update”.  Just wondering if there are any vulnerabilities if this update is NOT applied?

A: This is a non-security update which does not directly address any vulnerabilities. Not installing this update does not leave your system unprotected against a specific vulnerability. However, this update will allow applications to make use of Extended Protection for Authentication, which is a new functionality that offers more robust protection of authentication credentials. While there is no immediate difference after installing the update, we strongly recommend installing this update so third party applications and Windows components will be able to make use of this strengthened authentication technology. To learn more about Extended Protection for Authentication, we recommend reviewing Security Advisory 973811 for more information on this technology.


Q: Do we have to do anything special to get WSUS 3.0 SP1 to reoffer MS09-029? Our WSUS servers are reporting that the revised update is “not needed” on systems where the initial hotfix was applied.

A: If you re-sync your WSUS server it should pull down the updated detection and deployment criteria for the MS09-029 re-release along with the criteria for the other new bulletins.  You may need to re-approve the update, depending on your configuration, and it will only be offered where applicable.


Q: Why is MS09-035 being re-released? Is it a functionality change? Or is it just for platforms used to develop ActiveX controls for developing mobile devices?

A: The bulletin was re-released to offer new updates for Visual Studio 2005 SP1, 2008, and 2008 SP1.  The new security updates are for developers who use Visual Studio to create components and controls for mobile applications using Active Template Library (ATL) for Smart Devices. All Visual Studio developers should install these new updates so that they can use Visual Studio to create components and controls that are not vulnerable to the reported issues.


Q: If I install the Remote Desktop Protocol (RDP) 5.0 KB958471 for Windows 2000, do I need to install RDP 5.1 or 5.2 updates Or else will it be automatically upgraded. How can I find the file version for RDP 5.1 & 5.2?

A: On Windows 2000, a user will have to first install KB958471, which will upgrade his system from RDP 5.0 to RDP 5.1. Next, he will need to install the security update for RDP 5.1 which is KB958470. There is no single package which addresses the issue but installation of both packages is required. The file versions of each of the installed updates are listed in the KB article (in this case KB958471 and KB958471) per RDP version and platform.


Q: What were the print spooler issues specifically with the re-release?

A: In certain cases, the print spooler would crash when the MS09-029 update for End-of-Test (EOT) was applied.  The updated package corrects this issue.


Q: Regarding MS09-039, so this can happen anonymously from outside the network if the WINS box has a public IP? Also, are there any known attacks?

A: There are no known attacks for this issue.  CVE-2009-1923 can be exploited remotely.  However, firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.


Q: Is MS09-043 is not applicable for Office 2003 Web Components SP2?

A: Microsoft Office 2003 SP2 is no longer in support.


Q: If the killbit is applied and then MS09-043 applied, does the functionality get activated if it was deactivated when the killbit was applied?

A: Yes. Installing the MS09-043 update restores all functionality that is disabled by the killbit workaround.


Q: With MS09-039, the attack vector can be remote. Can you elaborate if Microsoft Windows Internet Name Service (WINS) is installed can a bad packet be sent via public URL? Also, if a bad packet is sent, what are the repercussions? What behavior can we expect the system start to exhibit if it is infected?

A: The remote vector is through a WINS replication packet.  The server behavior would vary depending on what an attacker would choose to do and the nature of the exploit.


Q: I have submitted security requests to several 3rd parties asking about potential ATL issues in their ActiveX components and have not received replies. There tools end users can use to audit all installed/deployed ActiveX in a Windows domain and also tools to test them ourselves to see if they use ATL?

A: Not all components or controls created with the ATL headers are exposed to a vulnerable condition. As part of the ATL investigation, Verizon Business offers a site that developers and customers can use to test and see if their component is exposed to the vulnerabilities (  We encourage customers to use this site to test if their controls are exposed and continue to reach out to 3rd parties with vulnerable controls. Microsoft is also reaching out to 3rd parties where we have identified vulnerable 3rd party controls or components.


Q: How is MS09-037 related to MS09-034 and MS09-035?

A: MS09-037 addresses the components that ship with Windows that are affected by the ATL issues.  MS09-035 provides updated ATL headers for developers to correct the component and controls they produce.  MS09-034 reduces the attack surface for all of these issues within IE. Note that there is no vulnerability in IE regarding this issue. The IE update is a defense in depth update that blocks the IE attack vector.


Q: Please clarify for MS09-037, if we have to fix every single ActiveX control, why do we need this patch? Or does this patch alleviate the need to fix all the ActiveX controls?

A: MS09-037 specifically addresses vulnerable controls and components that ship inbox with Windows.  This update does not alleviate the need to address other potentially vulnerable controls that may exist on your system.


Q: Every machine that I install the KB973869 patch for x64 (Bulletin MS09-037) on continues to report that the update is needed, whether it is applied by Windows Update, Automatic Updates, or WSUS

A: We are not familiar with the issue as you describe it; however I would recommend that you use the information listed in the bulletin’s “Security Update Deployment” section to verify that the MS09-037 update has been successfully applied.  If you are certain that this is the case, then we encourage you to open a support case so that the issue can be isolated.  If there is a problem on the Microsoft end, then we can get the issue escalated.


Update: This is a confirmed issue and we are working to release a new cab Monday morning 8/17/09 to resolve. 


Q: If I applied the “Fix It” for KB973472 – do I have to disable the workaround before applying MS09-043 ?

A: You do not need to remove it, but it will no longer be needed.


Q: What is the difference between Integrated Mode and Classic Mode in Microsoft Internet Information Services (IIS) 7.0?

A: In a nutshell, integrated mode provides the owner of the web site with more granular control over the request process. On IIS 7.0, each web site on the server can be run in either integrated mode or classic mode.  The integrated request pipeline on IIS 7.0 allows running different application frameworks at the same time. Classic mode reverts back to IIS 6.0 behavior where integrated mode was not yet available. For more information, see


Q: Does the patch for the workstation process restart the service upon completion and just not take effect until the reboot, or is the service down until reboot?

A: The update needs a reboot to take effect.  The workstations service continues operating as normal until the reboot occurs.


Q: Security Advisory 973811 Extended Protection for Authentication requires installing KB968389 and configuring the registry.  KB968389 is missing info for Vista/Windows Server 2008 (non R2) as well as download links. Also, MSDN article (4th paragraph) is now incorrect, since KB968389 adds this support to Windows XP/Windows Server 2003/Vista/Windows Server 2008, not only Windows 7 and Windows Server 2008 R2.

A: The registry key information in KB968389 is applicable to all platforms for which Extended Protection is being released as part of this advisory, including Windows Vista and Windows Server 2008. The download links to the component described in KB968389 can be found in the Affected Platforms list in the advisory. Essentially the updates for each of the platforms are available for download from the security advisory at . We do plan on adding download links to the KB article independently for clarity. The developer MSDN article is undergoing edits to ensure these platforms are added as supported for Extended Protection.