Monthly Security Bulletin Webcast Q&A – October 2009

Hosts:                 Adrian Stone, Senior Security Program Manager Lead

                           Jerry Bryant, Senior Security Program Manager Lead

Website:            TechNet/security

Chat Topic:        October 2009 Security Bulletin
Date:                  Wednesday, October 14, 2009


Q: In reference to MS09-053, are all Internet Information Services (IIS) servers affected or only IIS servers running File Transfer Protocol (FTP)?

A: This bulletin only affects IIS servers running FTP.  If you are not running the optional FTP service in IIS you are not affected by this vulnerability.


Q: What does “Browse and own” mean?

A: A “Browse and Own” scenario refers to a situation when a user directs their browser to a malicious website that is able to execute code on the users system.


Q: Doesn’t the advice  further reduce the risk if we don’t apply the SQL2005 update build?

A: The important thing to note about the new GDI+ attack surface reduction feature shipped with this update is that in order for this feature to enabled, you must install this security update. This feature is included in this GDI+ release for customers to reduce their attack surface in the specific file formats mentioned in the Bulletin (BMP, EMP, GIF, ICO, JPEG, PNG, TIFF, and WMF) for attack surface reduction efforts post-MS09-062 release. Specific to how the GDI+ vulnerability relates to SQL Server 2005, if you do not have Windows 2000 clients on your network, you do not need to install the SQL Server update. If you do have Windows 2000 clients on your network, Microsoft recommends you install the SQL Server update first, so that Windows 2000 clients can update their RSClientPrint ActiveX Control upon their next connection to the SQL Server Reporting Services server.


Q: On the slide titled MS09-053: Vulnerability in Internet Information Server Could Cause Remote Code Execution (975254), I show the KB here should be 975245 and not KB975254.

A: KB975254 is the correct KB for MS09-053.


Q: On mitigating factors: my user is visiting a clean website but has a revolving advertisement that’s compromised, is there cause for concern?

A: Mitigations such as ESC, disabling active scripting, and ActiveX will still apply.

If the advertisement provider has been compromised or tricked into serving malicious content, the attacker will have the ability to run arbitrary HTML in the user’s browser through the advertisement.  Depending on the implementation of the revolving advertising provider (if the advertising provider serves content from a separate advertising domain and not the domain of the “clean” site), mitigations such as trusted sites will still apply.


Q: I have Office 2007 SP2 installed on Windows Vista SP2 and fully patched before applying Oct 2009 bulletins. Now MBSA 2.1.2104.0 scans indicate that ID 953195 Microsoft Office 2007 SP2 is missing, yet Microsoft Update states there are no updates available. Please fix this MBSA scanning error.

A: There are no known issues with MBSA scanning for any updates released yesterday.  Please contact CSS directly or post details on the MBSA newsgroup so we can work with you to troubleshoot and resolve this issue for you.


Q: Does MS09-061 impact servers?

A: MS09-061 affects Windows Server operating systems, however, not with critical severity. This is because remote code execution is mitigated on current server operating systems by two factors: ASP.NET is not enabled by default, and Enhanced Security Configuration is enabled in Internet Explorer (IE) by default.


Q: Has there been any more formal information on this blog entry RE: MS09-056

A:  Microsoft is aware of these public reports. This issue is currently under investigation by the MSRC. If the issue can be confirmed, Microsoft will update the “Known Issues” section of the security bulletin and associated Knowledge Based (KB) article later today with guidance and recommendations for affected customers.


Q: If MS09-052 only applies to Windows Media Player 6.4, why do I receive the update through Windows Update for my Windows XP SP3 system with Windows Media Player 11?  Is there some “undocumented” fixes included?

A: Even though you may have upgraded to a later version of Windows Media Player, the older affected files may be left on your system.  The update is detected for you system, even though the vulnerability may not be reachable by the default media player.  There are no undocumented fixes in any of our security updates.


Q: Is MS09-050 exploitable without any user interaction?

A: Yes – there is no user interaction required for this issue to be exploited.


Q: Is the new Autorun update available through WSUS yet?

A: In July we released an update for Autorun that went out via Automatic Update (AU) that corrects the registry key settings. This update will correctly respect the registry key setting that disables Autorun that users may have set. This update is KB967715.  In August of this year we also released an update to Autorun that will only allow Autorun functionality for CD ROMs and DVD ROMs. This is the same behavior that is currently in Windows 7. This update is KB971029 and is only available off of the Microsoft Download Center and does not go out via AU since it changes executed functionality.


Q: I noticed there are updates available for Server 2008 R2.  Why aren’t there ever updates for Server 2003 R2?

A: Windows Server 2008 R2 is a new product and is similar in name only, but Windows Server 2003 R2 is only an update to the existing Windows Server 2003 codebase.  Whenever we refer to Windows Server 2003 we are also referring to the R2 version.


Q: For MS09-062, does this have SQL server update separately or is it part of Windows update?

A: SQL Server has a separate update for each affected SQL Server version.  So if you have an affected SQL Server, you need to install two updates – the OS update and the SQL Server update.   Per the FAQ, if you do not run Windows 2000, the SQL Server update can be safely installed at your convenience.  If you run Windows 2000, we recommend installing the SQL Server update as soon as possible. From the bulletin:


If I have an installation of SQL Server, how am I affected?

When SQL Server Reporting Services is installed, the affected installations of SQL Server software may host the RSClientPrint ActiveX control. This ActiveX control distributes a copy of gdiplus.dll containing the affected code. Customers are only impacted when the RSClientPrint ActiveX control is installed on Microsoft Windows 2000 operating systems. If the RSClientPrint ActiveX control is installed on any other operating system, the system version of GDI+ will be used and the corresponding operating system update will protect them.


Customers with affected installations of SQL Server that are installed on Windows 2000 operating systems and have the RSClientPrint ActiveX control should apply the update immediately.


SQL Server Reporting Services is an optional component and must be installed for this security update to apply. Affected installations of SQL Server will only be offered this update if SQL Server Reporting Services is installed.


Q: Does MS09-056 require KB931125 September 2009 Root Certificate to be installed, and does KB931125 include a CRL for the Black Hat rogue certificate?

A: MS09-056 does not have KB931125 as a prerequisite, and there are no changes to the Root Certificate store for this update. Microsoft did not release an update which specifically refuses the specific rogue certificate presented at the Black Hat conference. However, the security update will reject parsing of any malicious certificate, including the one presented at Black Hat. A customer installing MS09-056 is fully protected against this vulnerability.


Q: We have SQL 2008 installed on Windows 2008. For MS09-062, are there two updates like one for windows and other for SQL? Or is it one update for both?

A: SQL Server 2008 is not affected by this bulletin.  Windows Server 2008 is affected by the bulletin.  So there is only one security update to install, which is the Windows Server 2008 update.


Q: How are MS09-055 and MS09-060 related?

A: MS09-060 addresses ATL-related issues in Microsoft Office components by providing an update.  MS09-055 provides killbits for certain ATL-related components to prevent them from being instantiated in Internet Explorer.


Q: After applying MS09-050 can SMBv2 be enabled again by deleting the smb2 key or does it need to be set to one (1)? I have disabled SMBv2 by setting the smb2 registry key to zero (0) –

A: Yes – setting this registry key to ’1’ will enable SMBv2 on your system.


Q: Our engineers have expressed concern over installing MS09-062 (the SQL Server updates).

A: At this time we have not seen any issues on the SQL update.


Q: As an SQL DBA, I am interested in the SQL2005 component of MS09-062. If we are not running on Windows 2000, is applying the SQL2005 patch overkill if we apply our O/S patch?

A: We recommend that you apply the security update to SQL Server deployments which have Reporting Services installed.  Since you are not using Windows 2000, your environment is secure once you have applied the OS security update to all computer system within the environment.  As a best practice, deploying the security update on your SQL Server deployments with Reporting Services installed will ensure that the vulnerable DLL is no longer distributed by your Reporting Services deployment.