September 2009 Security Bulletin Webcast Video and Customer Q and A

In the September 2009 security bulletin webcast, it was clear that customers had a lot of concerns about MS09-048 as almost half the questions we answered were on that topic. The questions and answers from the session are now posted here on the blog.

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

Get Microsoft Silverlight More listening and viewing options:

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.


Jerry Bryant