December 2009 Security Bulletin Webcast

imageLooks like the MSRC posted the December security bulleting webcast last Friday:

There is one question that I wanted to provide a little more information on and that references reports of KB973917 causing problems with Internet Information Services (IIS) 6.0 running on Windows Server 2003 SP2. There are scenarios where the system can be in a state where the correct core IIS .dll files are not in place. This may be the case if SP2 did not install correctly or if IIS 6.0 was installed on the system from a Windows Server 2003 Gold or SP1 CD after SP2 was installed. KB2009746 has more information on this and how to resolve the issue which is to essentially reinstall SP2 to get the right binaries on the machine.

To be clear, KB973917 references a non-security update that implements Extended Protection for Authentication in IIS. This is part of our overall work to address credential relaying attacks on Integrated Windows Authentication as described in Security Advisory 974926 that we released on Tuesday. The updates in question are not addressing vulnerabilities and I just wanted to clarify that point. To learn more about this work, please read the advisory and also this excellent blog post by Maarten Van Horenbeeck from the MSRC:

At this time, our Customer Service and Support group are not reporting any major issues with this month’s bulletins. If you do experience any issues obtaining or installing security updates, please visit for some great trouble shooting tips as well as various support options. You can also call 1-866-PCSafety (1-866-727-2338) in the US. For more regional contact numbers, please visit

For all the details see

J.C. Hornbeck | System Center Knowledge Engineer