Hosts: Christopher Budd, Microsoft Security Response Communications Lead
Adrian Stone, Microsoft Security Response Center (MSRC)
Topic: Information about Microsoft Security Bulletins
Date: Wednesday, June 11, 2008
Q: Was XP SP3 released via AU yesterday? Also where did Microsoft announce this ahead of time?
A: No, XP SP3 was not release via AU yesterday.
Q: MS08-030 – does this affect 3rd party stacks like the Toshiba Bluetooth stack? Do 3rd party drivers require the vulnerable Microsoft code to operate?
A: The update is specific to the MS Bluetooth stack on windows client operating systems, and 3rd party Bluetooth stacks may or may not be affected depending on their implementation. For example the Windows Mobile Bluetooth stack is different from the windows stack and is not exposed to the same vulnerability and is not affected. As far as a 3rd party Bluetooth stack goes, if their stack takes a dependency on the Windows Stack than they could be vulnerable.
Q: I presume the Bluetooth vulnerability requires physical proximity to the device (i.e. within Bluetooth range). Is this accurate? Does it also require a device to already be paired, or can it be exploited before pairing?
A: A possible attack would require close physical proximity. Pairing is required however, paring can be brute forced for devices that are in a discoverable mode.
Q: MS08-032, Is the speech recognition enabled by default in Windows XP?
A: The speech recognition capability is not turned on by default on Windows XP. It is also not turned on by default on any platform. The speech recognition software is also required to be configured after it is turned on, before it can be used by a user.
Q: Regarding the Bluetooth vulnerability: Does the BT radio have to be enabled in order for MS Update to determine the need for this update? Also, does this apply only to systems using the default MS Bluetooth stack or does it also apply to Widcomm, etc?
A: No, Bluetooth radio does not need to be enabled for Windows Update to detect and deploy a fix for this vulnerability. This is due to the fact that Bluetooth can be enabled on your machine at any time, by updating the vulnerable files you will be protected in all cases where Bluetooth is used.
Q: In regards to MS08-034, this only applies to WINS servers, not WINS clients, correct?
A: That is correct the update is specific to WINS servers, WINS clients are not affected by this vulnerability; and FYI: this is a local EOP (elevation of privilege) only and not a RCE (remote code execution) vulnerability.
Q: Is MSMQ installed by default in Vista and Server 2008??
A: No – MSMQ (Microsoft Message Queuing) is not installed default on Windows Vista or Windows Server 2008
Q: In MS08-035, does the AD stop responding or the system stops responding and restarts? Does this impact the authentication of other users?
A: The vulnerability can cause the AD (Active Directory) server to either stop accepting new LDAP (Lightweight Directory Access Protocol) queries, or cause the server to reboot and recover correctly. If the attack is successful in DOS’ing (denial of service) the AD server then any client authentication would be disrupted.
Q: Can the vulnerability in MS08-035 be exploited before authentication to an LDAP server?
A: On Windows 2000 the attacker does not have to be authenticated, on Windows Server 2003 and above the attack requires authentication
Q: Does MS08-036 effect W2K3 SP2 64 bit?
A: As listed in the bulletin, this important DoS vulnerability bulletin does affect Windows Server 2003 x64 SP2.
Q: MS08-035 – AD – All other bulletins do show in my ITMU (Inventory tool for Microsoft Updates) software updates and are available as usual. This one is not. I am running SMS 2003 SP3. It is supposed to show? I would like to confirm.
A: This update will only get offered if the system is an AD server or has ADAM (Active Directory Application Mode) installed and enabled. If your system does not meet these requirements the update will not be offered to that system
Q: Now that Windows XP Service Pack 3 has been released, will Windows updates going forward only support SP3 or will versions be available that will also support SP2 (which is all we are allowed to deploy at this time)?
A: The Microsoft Lifecycle Support Service Pack article shows XPSP2 support ends in 2010.
Q: The detection and deployment slide shows MBSA 2.1 – are these also supported in MBSA 2.0.1
A: MBSA 2.0.1 (Microsoft Baseline Security Analyzer) support is the same as listed in MBSA 2.1. We recommend all customers upgrade to the latest released version of MBSA. More information on the MBSA tool can be found at www.microsoft.com/mbsa
Q: http://www.lcs-guides.com/problems-archiving-service-and-msmq. Doesn’t Live communication server turn on MSMQ? Would this be a product that we need to see if it is a higher risk?
A: LCS (Live Communication Server) 2005 uses MSMQ for archiving purposes. MSMQ is used by the Archiving Agent to receive notifications from the Archiving service destination queue and as a local temporary transmission queue if the archiving service is unavailable.
Q: Assumption: Since WINS is running on our Domain Controllers they exploit becomes even greater as it can now compromise the Domain Controller as well. Do you agree? I am trying to convince our company to separate WINS services away from our Domain Controller.
A: The vulnerability is a local EOP, and so this would require an attacker to be able to log onto the machine. If WINS and AD are on the same server than the threat level to your infrastructure is greatly increased. Best practices should restrict which users are allowed to log on to infrastructure critical components
Q: We run a WSUS server and last night we had an update go to all machines and auto-restart them even though I didn’t approve any updates till this morning. Any clue what that was?
A: It will depend on the OS and your automatic approval settings. The easiest ways to tell is to simply visit a client and see what update was applied as they are listed by date in Add/Remove Programs, or check your WSUS server logs which should show your approval history.
Q: Is there a real difference between windows XP and windows XP Professional in regards to IE security updates?
A: No. We only list a difference between XP pro and other editions in MS08-035 because ADAM will only install on the professional edition. As far as IE is concerned they are the same.
Q: In regards to MS08-036, if you apply the patch and later someone installs MSMQ, do you then need to re-apply this patch?
A: Once the patch is installed, it should not need to be refreshed if MSMQ is subsequently installed.
Q: When will there be a blocking tool provided for WIndows XP SP3?
A: The Windows Service Pack Blocker Tool Kit will allow you to block deployment of Windows XP SP3. The tool can be found by either searching on the download center for this tool. It can also be directly accessed via http://www.microsoft.com/downloads/details.aspx?familyid=d7c9a07a-5267-4bd6-87d0-e2a72099edb7&displaylang=en&tm.
Q: How can you tell which version of the Malicious Software Removal Tool a computer is running?
A: By checking a registry key, you can determine whether the MSRT tool has been run on a computer and which version was the latest version that was used. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
891716 </kb/891716/> (http://support.microsoft.com/kb/891716/) Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment.
Q: “Is there a direct correlation to a Symantec/MacAfee threat posting, for each new detection within the Microsoft Malicious Software Removal Tool”
A: No there is no correlation. For information on MSRT, see: http://support.microsoft.com/kb/890830.