Monthly Security Bulletin Webcast Q&A – June 2010

Hosts:                                   Adrian Stone, Senior Security Program Manager Lead

                                             Jerry Bryant, Group Manager, Response Communications

Website:                              TechNet/security

Chat Topic:                          June 2010 Security Bulletin Release

Date:                                    Tuesday, June 8, 2010


Q: The .NET updates are only a security update correct? Not a service pack or rollup, right?

A: The June Security Bulletin release had one security bulletin, MS10-041, for the .NET Framework and another set of updates corresponding to Microsoft Security Advisory 973811. The update corresponding to Microsoft Security Advisory 973811 carries the extended protection security feature, so that is not a security update in the traditional sense. But there was no service pack or rollup in the June release.


Q: Will Microsoft provide updates for Windows 2000 next month? Do you recommend we upgrade to a newer version of Windows?

A: We remind all Windows 2000 and Windows XP SP2 customers that all support for these platforms will end after July 13, 2010. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates. We will release appropriate bulletins for Windows 2000 and Windows XP SP2 next month.


Q:  Why does the update required in KB979909 prompt for an interaction? This causes it to fail installation on Windows Update.

A: Security updates deployed via Windows Update generally do not prompt for user input; however some updates may display an End User License Agreement (EULA) which needs to be accepted before the update is installed. If the update KB979909 is installed in the same transaction as another update which shows a EULA then it may appear like the prompt is coming from the update KB979909. We are not aware of any specific issues at this times that may cause KB979909 to display a user prompt, but if you are encountering this issue please contact 1-866-PC-SAFETY and our support engineers should be able to assist.


Q: Why was the Cumulative IE patch MS10-018 automatically declined by Windows Server Update Services (WSUS) when MS10-035 was just released?  Also, MS10-018 can no longer be approved either.

A: This month’s IE update did initially experience some detection issues in the update, but this has been corrected. As the IE updates are Cumulative in nature, the updates provided in MS10-018 are included in MS10-035. If you install the latest IE update, it will include the previous fixes.


Q: For clarity, when will these updates be released for download by System Center Configuration Manager (SCCM)?

A:  Most of the updates are available via SCCM. Please see the bulletin for specifics.


Q: In testing these updates  on release day we had multiple Windows XP systems that were idle (no applications in use), I was surprised to find that it took two or even three cycles of patches and reboots to get all the updates installed. In other words, rather than one reboot at the end, there were some updates then reboot, more updates then reboot. On one machine, yet more updates and another reboot.  Can you explain why that is necessary?  Microsoft updates are usually sequenced better than this, so that only one reboot is needed.

A: Without specific parsing of logfiles, it’s difficult to diagnose multiple reboot scenarios but I would guess that it’s possible you had earlier updates that had not yet been applied to this machine, or you had not yet rebooted from a prior update installation. Windows Update requires that if you have a pending reboot that the reboot must be completed before it can install newer updates. That may be the reason for the behavior you observed.


Q: In reviewing our (WSUS) server this morning after synchronization overnight, MS10-033 was not yet available. Has this update been made available for WSUS?

A: There are multiple KB’s associated with MS10-033.  Please refresh your WSUS scan cab file and contact Customer Service if you still experience this issue.


Q: Concerning MS10-041, are all of the updates required to be installed? For example, we have deployed .NET 3.5 SP1 as a package that also updated some earlier versions of .NET. Does the same apply here? Does the update for .NET 3.5 SP1 also patch the earlier versions of .NET?

A: You can have more than one version of the .NET Framework installed side-by-side. Therefore, yes, you need to install all updates that pertain to versions of the .NET Framework you have installed. Technologies like Windows Update (WU), Microsoft Update MU) and WSUS will detect automatically which updates are applicable to your system. For more information, please see the General FAQ section in the MS10-041 bulletin, specifically the question: “How do I determine which version of the Microsoft .NET Framework is installed?”


Q: When Windows XP SP2 falls out of support, does that mean Windows XP x64 is totally out of support?  There isn’t a Service Pack 3 (SP3) for Windows XP x64.

A: Windows XP x64 released to manufacturing (RTM) is out of support. We recommend upgrading to Windows XP x64 SP2.  See for a full listing of supported platforms.


Q: Does installation of MS10-039 in a multi-server Microsoft Office SharePoint Server 2007 (MOSS) environment require manual, ordered installation and running of the wizard, similar to a MOSS service pack deployment?

A: Yes, the installation of MS10-039 on a multi-server MOSS environment does require manual install. For best results you should also do an ordered installation.


Q: For MS10-033, can email firewall vendors scan attachments for this vulnerability?

A:  In the case of malicious media content attached to email, yes they can, although there are attack vectors affected by this vulnerability that can’t be scanned by email scanners — for instance, a malicious website can host specially crafted media content.  In this scenario, an email firewall will not mitigate against this issue.


Q: MS10-039 does not appear in Windows or Microsoft Update.  How is this update applied?

A: Security updates are available from the Microsoft Download Center. You can find them most easily by doing a keyword search for “security update.”  In addition, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (for instance, “MS10-039″), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.


Q: Not sure if it was addressed, but has MS10-020 and the issues saving files to network shares been resolved?

A: You can review KB980232 to see the latest information about this issue.  All known issues and their resolutions will be listed there.


Q:  The bulletin for MS10-039 says an “attacker could gain the same user rights on the SharePoint site as the targeted user.” If targeted user is a Domain Admin, would attacker have Domain Admin rights on all domain members?

A: No. For CVE-2010-0817 the targeted user can only gain rights in SharePoint and not on the domain.  When an attacker initiates this attack and they convince the targeted user to click the Cross-Site-Scripting (XSS) link, the attacker is essentially tricking the targeted user to run commands sent by the attacker against the SharePoint server.


Q: Do we have any detection logic in this month’s Kernel update so that it doesn’t create any big impact, such as the blue screen of death (BSOD) issue of February’s release?

A: There are no updates this month that require additional detection logic.  We have no reports of known issues at this time that would cause us to use this type of detection logic.


Q: Are known issues tracked on the knowledge base (KB) article associated with each of the updates? How often is that updated?

A:  All known issues are tracked through the bulletin’s KB article. These are added as issues are identified.


Q: Regarding MS10-039 for Office SharePoint, does the user need to successfully log into the site to submit the request?

A: For both the CVE-2010-1257 Information Disclosure issue and the CVE-2010-1264 denial of service (DoS) issue, in the SharePoint bulletin MS10-039, authentication is required. However, for CVE-2010-0817 — the help .aspx issue — no authentication to the SharePoint server is required.


Q: I don’t mean to sound stupid but what is meant by applying a shim? And what is a shim?

A: With the Shim infrastructure, which we also call the Microsoft Windows Application Compatibility Infrastructure, you can target a specific application fix but only for a particular application (and typically, for particular versions of that application), with these fixes housed outside the core Windows functions and maintained separately.  To get a complete understanding of shim technology, please see