In the September 2009 security bulletin webcast, it was clear that customers had a lot of concerns about MS09-048 as almost half the questions we answered were on that topic. The questions and answers from the session are now posted here on the blog.

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant

Summary of Microsoft’s Security Bulletin Release for September 2009

Hello again,

This month we released five critical bulletins to address vulnerabilities in Windows and protect customers from two types of threats:

1. Browser based attacks where websites hosting malicious code attempt to compromise visitors. This includes MS09-045, MS09-046 and MS09-047.

2. Network based scenarios where attackers attempt Remote Code Execution (RCE) or Denial-of-Service (DoS) type attacks. This includes MS09-048 and MS09-049.

For this set of bulletins, we consider the first category to be the biggest threat to customers overall as reflected in our Severity and Exploitability Index slide where we present a high level, aggregate view of each bulletin:

We also refer to the slide above as our risk and impact assessment. The risk of exploitation combined with the impact of the vulnerability should help customers prioritize these bulletins for deployment. To provide further guidance in this area, this month we are providing a new deployment prioritization assessment. As noted on the slide below, there are several factors that we used to determine the priority. However, there are many other potential variables that may be unique to your environment so we recommend each customer perform their own assessment and install all security updates as soon as possible.

As you can see, we give MS09-045 and MS09-047 the highest deployment priority mainly due to these being browse and own attack scenarios and a high exploitability index rating. Exploits for MS09-047 can also be created through specially crafted files such as ASF and MP3 audio files. These files could then be sent via email.

Concerning MS09-046, our Security Research & Defense (SRD) team has determined that reliable exploit code would be difficult to produce hence the lower exploitability index rating. In this case and with MS09-045, users with Internet Explorer 8.0 are at reduced risk due to the protections provided by Date Execution Prevention (DEP). Also, while this is an ActiveX control update, it is not related to the ATL issue discussed in security advisory 973882.

The wireless update provided in MS09-049 addresses an issue with the Wireless AutoConfig Service in both Windows Vista and Windows Server 2008. We consider this one hard to exploit due to the work that has gone in to hardening the Windows Heap Manager. The SRD blog has a great write up on this.

MS09-048 contains updates for three vulnerabilities. One of those is a Remote Code Execution vulnerability affecting only Windows Vista and Windows Server 2008. We think this one would be difficult to produce reliable exploit code for as well. The SRD team did a write up on this one to provide additional details so I recommend reading it. The other two vulnerabilities are both Denial-of-Service issues and I want to point out that while Windows 2000 is affected by these, an update is not being provided. This is because the architecture to protect TCP/IP properly does not exist in Windows 2000. Customers on this platform who cannot update their systems to Windows Server 2003 or 2008 will need to carefully monitor their networks and assure that firewall best practices are followed.

Also, we re-released MS09-037. This bulletin for vulnerabilities in the Active Template Library (ATL), affecting components that shipped with Windows, was originally released in August 2009. In our ongoing investigation into the ATL issue, we identified a related vulnerable control so this bulletin has been updated to include it. This additional update affects users of Windows XP Media Center 2005 and Windows Vista systems. It is important to note that to date, we have not seen any new controls being used in active attacks. The Video ActiveX control that was under limited exploitation and which drove our out of band update in July, is still the only one we have seen used in attacks. Please refer to Security Advisory 973882 for the latest information and guidance from our investigation.

In this month’s overview video, Adrian Stone and I discuss the severity and exploitability index slide and the new deployment priority slide in a little more detail:

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Please join Adrian and I for a live webcast tomorrow, Wednesday Sept. 9 at 11:00 a.m. PDT (UTC -7) where we will go in to detail on each bulletin and answer all of your questions, with the help of a room full of subject matter experts. Go here to register >>

In this post I also want to provide some clarity on Windows 7 and Windows Server 2008 R2. After the Advance Notification went out last Thursday, we saw speculation that these new products may be affected because they were not specifically listed. To be clear, Windows 7 and Windows Server 2008 R2 are not affected by any of the September security updates. Since the date these products were released to manufacturing (July 09), they have been part of our standard security update process. As such, they would have been called out in the ANS if they were affected.

Finally, we are not addressing the IIS/FTP vulnerability announced in Security Advisory 975191 with this month’s security bulletin release. Our teams are still working on an update for this issue and we encourage customers to review the advisory for the most current guidance on this issue.

That’s it for this month. If you cannot join us for the webcast tomorrow, come back to the blog Friday afternoon as we will be posting the webcast video and Q&A from the session.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Advance Notification for the September 2009 Security Bulletin Release

This month we will be releasing 5 security bulletins, all affecting Windows, and all with an aggregate severity rating of critical.

As always, the target for release is the second Tuesday of the month at 10:00 a.m. PDT (UTC -8). Please check back here at that time as we will be posting our risk and impact assessment, a new deployment prioritization table and an overview video. Also, we encourage you to join us live on Wednesday September 9 at 11:00 a.m. (UTC -7) for our regular security bulletin webcast where we will cover the bulletins in greater detail and answer questions. Click here to register!

If the files being updated are in use at the time of installation then these updates would require a restart. Otherwise, they would not. For information on the reasons you may be prompted to restart the system, see Microsoft Knowledge Base Article 887012.

In related news, you will note that the ANS does not specify an update for the Internet Information Services FTP service vulnerability for which we released security advisory 975191 on Tuesday of this week. As noted in an earlier blog post, we have spun up our SSIRP (Software Security Incident Response Process) process to address this issue and our teams are working hard to produce an update. Please keep an eye on the advisory for more information and if you are not already, please subscribe to our comprehensive alerts to receive updates by email.

On a final note, I want to highlight our new Microsoft Security Update Guide which was written to help IT professionals better understand and use Microsoft security update release information, processes, communications, and tools – and how to manage organizational risk and develop a repeatable, effective deployment mechanism for security updates.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hi Everyone,

This is Alan Wallace, senior communications manager for our security response communications team.  Today, Microsoft released Security Advisory 975191, to provide customer guidance and protection from a vulnerability that could allow remote code execution on affected systems running the FTP service in Microsoft Internet Information Services (IIS) 5.0, 5.1 and 6.0, and connected to the Internet.  While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code or of customer impact.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update.  This update will be released once it reaches an appropriate level of quality for broad distribution.

Affected products include Windows 2000, Windows XP, and Windows Server 2003.

Microsoft recommends customers review and implement the workarounds provided in the Advisory under the Workaround section.  More information on suggested actions can be found in Microsoft Knowledge Base Article 975191.

Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.

For more technical details on the advisory, please see what our colleagues have written over on the Security Research and Defense blog.

As always, be sure to check back here on the MSRC blog or in the advisory for any additional information or updates that develop.

Thank you,

Alan

*This posting is provided "AS IS" with no warranties, and confers no rights*