Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Senior Security Communications Manager Lead
Chat Topic: February 2010 Security Bulletin Release
Date: Wednesday, February 10, 2010
A: MS10-003 only replaces the Office XP components of MS09-062. GDI+ updates contain updates across multiple Microsoft products; this will only replace the Microsoft Office portion of the GDI+ update.
Q: On the Bulletin Deployment Priority slide, what does “PUBLIC” indicate?
A: This indicates the vulnerability was publicly disclosed prior to the release of the security bulletin.
Q: MS10-009 shows a severity of critical on the bulletin but an important on here. Is there a typo on one of these? http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx
A: The severity level for MS10-009 is indeed critical and the bulletin summary will be updated.
Q: Just to make sure I’m not confused when we deploy patch MS10-004. Does the MS10-004 bulletin replace MS09-017, Security Advisory 957784 (Office 2003) and Security Advisory 969618 (Office 2007)? A similar scenario occurs between MS10-004 and MS10-009; do you leave MS09-062 and MS09-017 enabled so it is pushed to clients or do you disable them and only have the MS10-003 and MS10-004 enabled and pushed to clients although the affected software does not include the same affected software as the old bulletins?
A: MS09-062 addresses an issue in GDI+ and the affected files are described at http://support.microsoft.com/?kbid=958869 MS09-017 is included with MS10-004 and therefore just installing MS10-004 is sufficient. Note: MS09-062 is not included in MS10-004 and must be installed separately.
Q: We have a large OS/2 Warp 4 installation with W2K3 and W2K8 servers on the backend. My question concerns the two Server Message Block (SMB) updates; are there any known interoperability issues?
A: There are no known interoperability issues between OS2 Warp and our SMB updates, however we do recommend testing these updates prior to integrating in mission critical environments.
Q: In MS10-010, is Virtual Server 2005 R2 SP1, Virtual PC/ and Windows 7 XP affected?
A: This vulnerability affects only Hyper-V, and does not affect Virtual Server 2005, Virtual PC, Windows 7 XP mode or any of our other virtualization solutions. There is a significant difference between the underlying code base of both virtualization technologies and only Hyper-V is affected by this specific product vulnerability.
Q: Why does bulletin MS10-014 have an exploitability rating of 3? If it’s a DOS attack I thought that it would have been rater higher? Also, why has it not been given a ‘critical’ severity level? Lastly, am I correct to assume that there is no code in the wild?
A: MS10-014 is an issue affecting a specific, non-default configuration of Kerberos deployment. For this vulnerability, there is no possibility of code execution. We are not aware of any exploit code in the wild. The Exploitability Index factors in;
· The chance of code execution which, in this case does not appear to be possible;
· The desirability of the exploit, which in this situation shows a low desirability due to non-default configuration; and
· Ease of exploit. This case would be difficult to exploit, even for denial of service
Q: Are PowerPoint 03 Viewers affected by MS10-004?
A: Yes, the 03 viewer is affected by MS10-004. The FAQ section within the affected software section of the bulletin explains this in more detail. Users should update to the latest version of PowerPoint Viewer.
Q: Is it possible for MS10-009 to be tunneled in an Internet Protocol version 4 (IPV4) packet?
A: In order to exploit this vulnerability, an attacker must be on-link. An attacker is considered on-link if they are on the same physical or virtual link and are able to send a valid neighbor discovery message to the target host. Tunneling protocols such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) can establish a virtual link via IPv4. For more information about on-link addresses and Neighbor Discovery in IPv6, see RFC 4861 < http://tools.ietf.org/html/rfc4861 >.
Q: You refer to firewall best practices often, can you direct me to a Microsoft article on this, to ensure my best practices are on target with Microsoft’s guidelines regarding firewalls?
A: A great place to start is with the TechNet article entitled “Best Practices for Managing Windows Firewall” at http://technet.microsoft.com/en-us/library/cc759479(WS.10).aspx. This article contains links to several articles on firewall guidance including:
Q: Security Advisory 977377 does not implicitly list the Secure Sockets Layer Virtual Private Network (SSL VPN) service included in Windows Server 2008. Will applying Enable_SSL_Renegotiate_Workaround.js cause IIS 7 to break SSL VPN connections?
A: Applying Enable_SSL_Renegotiation_Workaround.js changes the configuration of the web site so that when using certificate based mutual authentication, the client certificate is requested by the server prior to offering any content. This changes the behavior of the web site and requires significant testing. It is a workaround that will allow customers to continue to use mutual authentication while being protected against the vulnerability – no Transport Layer Security (TLS) renegotiation will be used when authorizing the client. This change will not break any SSL VPN connections, but we do recommend thorough testing as it will change the authentication behavior of the web site for users connecting with their web browser.
Q: When applying the Office updates; will the updates also apply to the Office compatibility add-on?
A: No, please refer the non-affected software section of the bulletin
Q: I am in the process of deploying Windows Server Update Services version 3 (WSUS 3). After I approve the application of MS10-012 is it necessary to decline MS09-001 or is it automatically superseded?
A: After deploying WSUS 3, the older update will remain approved; however, when a client system checks in and determines that it needs both updates, it (the system) will automatically pull the latest update which supersedes the older one.
Q: What is the difference between MS10-002 released during the January 2010 Security update and MS10-007? Do these address the same vulnerability occurring in different products? Is the difference in the way they pass the URL into the various products?
A: Both bulletins address the same vulnerability in the ShellExecute API. This API is offered both by Internet Explorer and Windows, depending on the platform. MS10-007 contains a detailed table in the FAQ section of its bulletin describing which applications require which update. We recommend reviewing this table thoroughly and installing those updates listed for your platform. This is especially important as this vulnerability is not limited to Internet Explorer and other applications consuming the ShellExecute API can also be affected by this vulnerability.
When the correct updates for your platform, per the table in MS010-007 are installed all applications, including Internet Explorer, are fully protected against exploitation of this vulnerability. Customers using Automatic Updates will automatically be provisioned all the correct updates for their deployment.
Q: Does MS10-015 prevent any 16 bit applications from running properly on either Windows 2000 SP4, Windows XP SP3 or Windows Server 2003 SP2 32 Bit Operating Systems?
A: Disabling 16-bit applications is a suggested workaround, but the MS10-015 security update addresses the vulnerability by ensuring the Windows kernel handles exceptions properly.