Monthly Security Bulletin Webcast Q&A – April 2010

Hosts:                          Adrian Stone, Senior Security Program Manager Lead

                                    Jerry Bryant, Group Manager, Response Communications

Website:                     TechNet/security

Chat Topic:                 April 2010 Security Bulletin Release

Date:                           Tuesday, April 13, 2010



Q: Are the MS10-023 and MS10-028 updates available via Window Server Update Services (WSUS)?  They were not listed in KB894199 , or as an exception by KB910723?

A: Yes, both MS10-023 and MS10-028 are available via WSUS.  We will update the article to reflect this information.


Q: In reference to MS10-022 on Windows 2000 server; if VBScript 5.1 is installed, will the VBScript 5.1 hot update also include the VBScript 5.6 update or am I required to update them separately?

A: On Windows 2000, VBScript 5.1 is only present when Internet Explorer 6.0 is not installed. However, if you are still running Windows 2000 with Internet Explorer 5.01 SP4, installing the MS10-022 security update will update VBScript 5.1 to VBScript 5.6.


Q: Do you think a virus or worm can exploit the vulnerability in MS10-019?

A: This issue requires user interaction and is therefore not wormable.  It is possible, however, that this issue could be used in malware.


Q: Will the RSS Feed ‘Microsoft Security Content: Comprehensive Edition‘ be fixed in next month’s release to include the Advanced Notification Service (ANS)?  The last two were missing: April Advanced Notification Service and March OOB Advanced Notification Service.

A: Yes, you will see comprehensive RSS feeds for ANS moving forward.


Q: When you perform a Microsoft FixIt to address a published security vulnerability, is it required to be reversed prior to the application of an update that addresses the same vulnerability?

A: For most situations a FixIT will need to be reversed before installing the security update. All FixIT’s will have a Knowledge Base Article associated with them and will contain more detail regarding install and reversing before installing the security update.


Q: We use Exchange 2003 SP2 with Windows Server 2003 SP2. Are we required to update both the OS and Exchange for the MS10-024 update and in which order?

A: Both updates (the Exchange package and the Windows OS packages) are required in this scenario.  However, the order of installation is not important – either can be installed first.


Q: Will we get an updated SMS Extended Security Update Inventory Tool (ESUIT)?

A: The SMS ESUIT tool will continue to be provided until April 2011.


Q: With regards to MS10-024; does port 25 access (or whatever port SMTP is running on) need to be exposed for the starttls attack to work? If the ports are blocked from the public internet will those servers be safe from external exploitation?

A: For CVE-2010-0025, an attacker must be able to connect to the port where the SMTP server is listening – typically TCP port 25.  An attacker must be able to connect to this port and be able to issue commands to successfully exploit this vulnerability.


Q: Will MS10-022 apply the correct VBScript update with Windows 2000 and VBScript 5.8?

A: VBScript 5.8 is only installed when Internet Explorer 8.0 is installed; however, Internet Explorer 8.0 is not available on Windows 2000. The latest Internet Explorer version available for Windows 2000 is Internet Explorer 6.0, which includes VBScript 5.6. Also, a Windows Script Host 5.7 package is available for Windows 2000 which includes VBScript 5.7.


Q: Does the vulnerability in MS10-026 address only Windows Media Player or does it address other types of media players used outside of the Internet Explorer browser?  For example would the workstation still be exploited by this vulnerability when using Firefox with a different player?

A: The vulnerability in MS10-026 addresses a vulnerability in the codec that was provided with Windows. If another web browser or media player uses the same codec they could be exposed to the same vulnerability that is exposed in the codec. Microsoft recommends that users install this update regardless of the web browser or media player application being used.


Q: Our admins are reporting a higher-than-normal failure rate for installing MS10-019 on Windows XP machines.  Are there any reports from Microsoft on this?

A: We have not received any reports of this issue.  We recommend opening a case with Microsoft Customer Service and Support if this is a issue continues.


Q: What is the Product & Classification for the Malicious Software Removal Tool (MSRT) in Window Server Update Services (WSUS)?

A: the WSUS product classification for the MSRT is “Update Rollup”


*This posting is provided “AS IS” with no warranties, and confers no rights*