Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Senior Security Program Manager Lead
Chat Topic: July 2009 Security Bulletin
Date: Wednesday, July 15, 2009
Q: How is Fix-It different from a security bulletin?
A: A Fix-It will automatically apply a workaround to address a particular issue. A bulletin provides a comprehensive update to address the root cause of vulnerability.
Q: Is it expected that an Out-of-Band release will be made for Security Advisory 973472?
A: No release plan or date has been announced. Apart from the Advance Notification Service (ANS), we do not pre-announce release plans or dates.
Q: If you don’t have QuickTime installed (Apple’s version), are you still vulnerable to the MS09-028 exploit?
A: Yes, the affected component is not dependent on the version or presence of Apple QuickTime on a system.
A: MS08-032 Cumulative Security Update of ActiveX Kill Bits replaces:
MS08-023 Security Update of ActiveX Kill Bits;
Q: Is there an all in one download for all the June patches?
A: There were 10 separate bulletins in June; each has a separate resolution / set of updates. We do not combine any or all of these in any fashion.
Q: We use SMS 2003 and ITMU to distribute our monthly security updates. Can you confirm that mainstream support will end in January 2010 and if so, what does this mean for users of this product – meaning, will there be scenarios where future service packs for operating systems such as Windows XP or Windows Server 2003 will not be available through SMS and the ITMU engine?
Note: The SUS Feature Pack, which can be installed on either SMS 2.0 or SMS 2003, is winding down, and this August it will lose the ability to deploy Microsoft Office updates as the Microsoft Office Update Inventory Tool is being retired along with Microsoft Office Update.
Q: What month will Windows 7 security bulletins start releasing?
A: We will be addressing Windows 7 in security bulletins once it officially RTMs (Release to Manufacturing).
Q: For Security Advisory 973472, can Fix-It be deployed in an enterprise environment or is the only feasible solution to apply the killbit setting?
A: It would be quite straight forward to deploy this via group policy for the registry settings, or even the fixIt.MSI package itself.
Q: Bulletin MS09-029 states that a restart is required, yet installation of this update on Windows XP SP2 and Windows Server 2003 SP2 using the Windows Server Update Service (WSUS) or from the Microsoft Update (MU) site did not prompt for a restart. Is a manual restart still required?
A: The system may need to be restarted when deploying this update is the files are in use. A restart is not required for protection if a prompt for a restart is not received.
Q: The new Fix-It feature for Security Advisories is good for home users, can Microsoft also publish sample AD scripts for domain deployment in the same timeframe?
A: The new Fix-It tools are designed for home users; however you can deploy them silently with group policy or a script. You should use the “/Quiet” switch. Additional Group Policy reference: http://technet.microsoft.com/en-us/library/cc738151(WS.10).aspx.
Q: In MS09-030, though it is a remote code execution vulnerability it is rated as Important. There have been Office bulletins which were marked as Critical even though the open confirmation tool came into the picture. Is there any another reason to bring down the severity?
A: Microsoft Office Publisher 2002 and later versions have a built-in feature that prompts a user to Open, Save, or Cancel before opening a document. This mitigating factor reduces the remote code execution vulnerability from Critical to Important because the vulnerability requires more than a single user action to complete the exploit. Prior updates for Office also included updates for Office 2000 which did not contain the built-in feature and that is why they were rated Critical. Most of the time, other versions of Office were rated Important even though the aggregate severity was Critical due to Office 2000 (which has now reached the end of lifecycle).
Q: Will these fixes help us with the present Botnet attacks propagating across the web?
A: From the victim-side of Botnet attacks, general anti-DDoS measures should be investigated. From the “machine taken over and becoming a Botnet attacker” (“zombie”) side, there are many vectors. These are the same as any virus or zombie threat to a computer. While these may include vulnerabilities, they also may be via Trojans which rely upon weak passwords or social engineering, and no technical vulnerability at all.
Q: I have never created a WMI file with the /quiet command to deploy an update, is there a sample script available to reference?
A: Please look at this KB for syntax: KB227091 Command-Line Switches for the Microsoft Windows Installer Tool.
Q: With Office Update being retired, what if any are the versions, i.e. office 2007 etc?
A: To clarify, Office Update allowed users to get updates for Office products. The updating tool is being retired and replace by Microsoft Update which has been in use for some time and allows users to receive updates for most all Microsoft products. Of the Office suites themselves, only Office 2000 has been retired as of 7/14/09.
Q: I’m currently repairing and setting up home users as a side business and the most urgent problem I’m having is presenting the home users with a suitable outbound firewall. Will Microsoft ever present a firewall with an outbound capability?
A: The client firewall included with Windows Vista has the capability to selectively block outbound connections. See http://www.microsoft.com/windows/windows-vista/features/firewall.aspx for a full list of features.
Q: I have a customer asking about Security Advisory 973472. Why is this not listed with the July Security Bulletins?
A: This is a Security Advisory, not a Security Bulletin. The intent in this Advisory is to notify customers of an “unpatched” vulnerability within the Office Web Component ActiveX Control, and provide a workaround solution for customers to be able to protect themselves while Microsoft develops a proper security update.
Q: Any updates on Security Advisory 973472?
A: It should be noted that the vulnerability disclosed in Security Advisory 973472 is not addressed in Cumulative Security Update of ActiveX Kill Bits 973346. Microsoft is currently working to develop a security update for all affected software listed in the overview section to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution.
Q: In MS09-029, can that font be put directly into body of the email?
A: (Without an attachment since word is integrated to outlook) – This is not really a font in a traditional sense, it’s a subsetted embedded font – EOT (embedded open type font). Outlook doesn’t process EOT directly, so one needs it as an embedded font in Microsoft Word or PowerPoint (or some other 3rd party application).
A: No, you do not have to uninstall the workaround and we encourage you to install the security update right over the top of it. While Fix it mitigated the issue that was being publicly exploited, the update comprehensively addresses the issue as well as two other related issues in the same component.
Q: MS09-029 states that a Reboot is required (for all platforms) but the executable always seems to return an exit code of 0 (no reboot needed) rather than 3010 (reboot needed).A: The system may need to be restarted when deploying this update is the files are in use. A restart is not required for protection if a prompt for a restart is not received. The bulletin is being revised to reflect this fact.
Q: Is this a correct ActiveX servicing summary? Microsoft products will result in new ActiveX Bulletin Cumulative patch for all ActiveX both Microsoft and 3rd party. New 3rd party ActiveX will result in a new Security Advisory and will only be Cumulative for 3rd party applications.
A: Any new 3rd party killbits that come in will be included as part of the killbit advisories only. These updates via a security bulletin are rollups and are cumulative in nature. They contain killbits for only Microsoft products.