Monthly Security Bulletin Webcast Q&A – December 2009

Hosts:                   Adrian Stone, Senior Security Program Manager Lead

                                Jerry Bryant, Senior Security Program Manager Lead

Website:         TechNet/security

Chat Topic:     December 2009 Security Bulletins
Date:               Wednesday, December 9, 2009



Q: In reference to Windows Vista KB973565, we have machines that install this update, then reboot and uninstall the update. Is this a known problem? It downloads and installs fine when manually running the file, WSUS, or Microsoft update, but on reboot, it gets stuck in an uninstall loop.

A: This question is in reference to MS09-063, released in November. There are no known issues with this update.  Customers experiencing this or similar issues should contact Microsoft Customer Support for assistance.


Q: I’m being told that KB973917 seems to be breaking a lot of systems.  Has Microsoft received reports of this?  Is there a fix?

A: While we were not aware of any issues with this update at the time of our webcast, we have since learned there may be installation scenarios which could prevent IIS from starting once the update has been installed.  A complete description of the issue and our recommended corrective actions have been provided in KB2009746. 


Q: During your webcast the presenters mentioned an Anti-Virus Toolkit.  Can you please elaborate on this tool and provide a link?

A: There are two locations where customers can get additional information regarding Microsoft Anti-malware products: the MSRT ( or Microsoft security essentials (



Q: Are there currently any plans to address the recently reported SSL man-in-the-middle vulnerability described in CVE 2009-3555?

A: Microsoft is aware of reported vulnerabilities affecting the Transport Layer Security (TLS) specification that could potentially lead to man-in-the-middle (MITM) attacks. We are investigating these claims for any possible impact on Microsoft’s implementations of the TLS protocol. Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.


Q: Is the MS08-037 re-release automatically approved in WSUS if the original release was approved?

A: Yes.  The WSUS scan cab will show this new update, and it will receive automatic approval based on your previous settings.


Q: I thought MS09-072 would apply to Win2003, Win2008 and Win2008R2 if, and only if, you installed Internet Explorer 8.   Is this correct?

A: As documented in the Affected Software table of the Security Bulletin, MS09-072 is applicable to Windows Server 2003 for IE6, IE7, or IE8; on Windows Server 2008 for IE7 and IE8; and on Windows Server 2008 R2 for IE8.  Additional information on affected and non-affected software can be found in the bulletin. 


Q: KB970430 has been in the High Priority Non-Security Update list in October, November, and now December.  Each time the patch has been unavailable for download.  When will this be available for download?

A: These updates are available under the More Information tab of the KB article where it states “How to obtain this update”.


Q: Your comments on MS09-071 contradict the bulletin, re: CVE 2009-2505 only affecting Windows 2008 SP2.   I’ve been trying to learn if there is a service installed by default on W2K8 SP2 that makes these servers vulnerable.  And does the other flaw not affect servers at all?

A: As stated in the Security Bulletin, CVE2009-2505 only affects Windows Server 2008 SP2 and Windows Vista SP2. The vulnerable code is not introduced through a new service.  It is only present in that service pack release of the operating system. The vulnerable code is also present on Windows Vista SP2, but there are no known attack vectors on that platform, hence the rating of Important vs. Critical for Windows Vista.


Q: We recently had a few computers infected with the FakeAV worm when users were browsing the Internet.  I am just wondering if MS09-072 addresses that.

A: The FakeAV virus infects users primarily through social engineering.  In addition to ensuring your systems are fully updates, we also recommend that you familiarize your users with potential social engineering scenarios.


Q: Does MS09-071 only affect servers that have had something installed (like IAS)?  How would I determine which of my Win 2008 SP2 servers, if any, are vulnerable?

A: This vulnerability is present in the default installation, but the only known attack vector is through the Internet Authentication Service (IAS). In order to be vulnerable on a default installation, this service must be running. The vulnerability is in the PEAP MS-CHAPv2 authentication code, which can theoretically be used by third party applications as well, which is why this is being published as a Critical bulletin on SP2 and we recommend installation on all Windows Server 2008 systems in the bulletin.


Q: There are no details in the MS09-071 bulletin about the mechanics of the flaw on W2K8 SP2 (there are details for the workstation OS’s.)  Can you please provide more details?

A: More information on the scope and root cause of the vulnerability can be found in the security bulletin under CVE-2009-2505, which states that this is a memory corruption vulnerability in validation of MS-CHAPv2 authentication requests. The vulnerability is present in the same component as CVE-2009-3677 listed in the same bulletin, but has a different impact. While CVE-2009-3677 can lead to Elevation of Privilege at the network level, CVE-2009-2505 is a Remote Code Execution vulnerability.