Out-of-Band Security Bulletin Webcast Q&A – March 30, 2010

Hosts:                          Adrian Stone, Senior Security Program Manager Lead

                                    Jerry Bryant, Group Manager, Response Communications

Website:                     TechNet/security

Chat Topic:                 March 2010 Out-of-Band Security Bulletin
Date:                           Tuesday, March 30, 2010



Q: CVE-2010-0483, like CVE-2010-0806, is a remote code executable vulnerability with an exploit code that has been published and publicly available since March 1, 2010. Are there plans for updating these critical vulnerabilities?  Does MS10-018 reduce the exposure to Security Advisory 981169 (CVE-2010-0483) on Internet Explorer 6 and Internet Explorer 7 and lastly, will Security Advisory 981169 be fixed in a future Internet Explorer update, or, in the update of another Windows’ component?

A: Security advisory 981169 (CVE-2010-0483) is contained in a different component –VBScript and is not due to an Internet Explorer issue. We have not seen any active exploitation of this issue at this time, only the publication of proof of concept code.  This issue will be addressed through a separate update.


Q: When will Microsoft release a download for today’s Out-of-Band update so that it is available via Window Server Update Services (WSUS)?

A: Today’s update has been distributed via Windows Update and the WSUS scan cabs are available now. If you are unable to access the updates via WSUS please contact Customer Service and Support at 1-866-PCSAFETY (1-866-727-2338) or visit http://support.microsoft.com.


Q: Does today’s update include the vulnerability exposed in the pwn2own competition during CanSecWest?

A: No. The vulnerability demonstrated at CanSecWest is new and was just disclosed responsibly to us.


Q: If my malware protection is updated and covers this vulnerability, am I covered throughout the normal update cycle?

A: Microsoft does not recommend waiting to install this update based on the presence of antivirus software. As part of the Microsoft Active Protections Program (MAPP), Microsoft has shared information on this vulnerability with specific antivirus vendors to enable them to build protection for their customers. However, antivirus software generally provides less effective coverage against specific new attacks than installing the security update. Installation of security update MS10-018 removes this vulnerability from the affected system and is, therefore, the most appropriate way to address this issue.


Q: Are there any remote issues with this Internet Explorer update or is it necessary for the target to view a webpage for the exploit to work?

A: There is not a remote vector to this vulnerability. A user would have to visit an attacker’s controlled website in order to be exposed to this attack.


Q: Is it only the CVE-2010-0806 vulnerability that benefits from DEP? DEP is not mentioned for any of the other vulnerabilities.

A: Data Execution Prevention (DEP) protects against exploitation of generic types of memory corruption vulnerabilities. DEP does not remediate the vulnerability itself, but helps ensure that attempts to exploit it are unsuccessful. DEP does in fact contribute to protecting the system against all of the remote code execution vulnerabilities listed in this bulletin. However, given the fact that CVE-2010-0806 is the only vulnerability in the bulletin that has currently seen active exploits, it is listed specifically under that CVE as additional protection.


Q: Why wasn’t the RSS feed ‘Microsoft Security Content: Comprehensive Edition’ updated on Monday, March 29, 2010 announcing the scheduled OOB release?

A:  We did experience an issue with the RSS feed yesterday, but this was addressed and today correctly reflected this release. We apologize for the inconvenience caused and have taken action to ensure this issue does not happen during future releases.


Q: What malware has been seen in the wild that takes advantage of this vulnerability and how impactful have these malware attacks been?

A: We are aware of samples of malware leveraging this vulnerability. There are multiple pen-testing tools that also leverage this attack making it is not possible to pinpoint specific malware in order to be protected against this vulnerability. For more information about malware as well as signatures for detection please see the MMPC blog at http://blogs.technet.com/mmpc/archive/2010/03/30/active-exploitation-of-cve-2010-0806.aspx.


Q: Sometimes these updates are the cause of various compatibility issues with existing Microsoft products. Are there any known compatibility issues in today’s update?

A: We are not aware of any issues with this update at this time.


Q: Why does this update require a reboot, even if Internet Explorer is not open?

A: There are multiple binaries in the Internet Explorer cumulative update that require the system to be restarted in order for the changes to take effect.


Q: Is it possible to block this vulnerability using Internet Security & Acceleration Server (ISA) 2004 or ISA 2006?

A: If you know the malicious IP or URL, it can be blocked. You should also only allow access to trusted sites; however the NIS component that is leveraged by Forefront Threat Management Gateway (TMG) is not able to provide additional protection here. For additional details you may wish to look at the MMPC blog.


Q: Do you have any facts on how quickly these targeted attacks are increasing and who exactly is being targeted?

A: We are seeing these attacks in a widespread manner and are not contained to one particular geographical region. The MMPC has published some information on their blog showing geographic breakdown: http://blogs.technet.com/mmpc.


Q: I am behind a firewall at work and we have web and email content filtering in place, how critical do you think it is that we apply this update immediately?

A: Microsoft recommends applying the security update to protect your infrastructure as soon as feasible. Due to the nature of the exploit, unless the firewall or web/email filtering blocks JavaScript content, they will be unable to protect users.


Q: Does the workarounds for the ‘Uninitialized Memory Corruption Vulnerability -CVE-2010-0806’ vulnerability found in MS10-018, enable or disable ActiveX Controls in Office2007? If Office 2007 is not installed is the vulnerability reduced?

A: The vulnerability being addressed is in the Internet Explorer application. Applying the update removes the vulnerability.


Q: What was the name of the web site mentioned during the live webcast regarding showing the charts with the countries where attacks are occurring?

A: You can find more information on the active exploitation of this vulnerability on the blog of the Microsoft Malware Protection Center and its distribution by locale athttp://blogs.technet.com/mmpc/.


Q: Are there any non-security changes in MS10-018 that might cause problems in existing browser based applications?

A: There are no non-security updates or changes to functionality included with this update and we recommend that users install this update. If you encounter problems with this update please report them to 1-866-PCSAFETY or http://support.microsoft.com.


Q: Does this update force a reboot to go into effect in all situations?

A: The detection and deployment section of the bulletin includes instructions on deploying this update without forcing a reboot. These instructions involve the ‘no restart’ switch.


Q: Do these vulnerabilities affect only Internet Explorer or do any of them affect the system without using Internet Explorer?

A: The exploitation of any of the vulnerabilities addressed in this update requires an IE user to visit an attacker controlled site.