Hosts:                   Adrian Stone, Senior Security Program Manager Lead

                                Jerry Bryant, Senior Security Program Manager Lead

Website:             TechNet/security

Chat Topic:         September 2009 Security Bulletin
Date:                     Wednesday, September 9, 2009

 

Q: For MS09-048 how do we mitigate this with Windows 2000 Server since Microsoft will not be producing a patch? Do we have any prescriptive guidance?

A: In addition to the mitigations and workarounds listed in the bulletin, the DoS vulnerability can be further mitigated through the use of NAT and reverse proxy servers.

 

Q: For MS09-048, please clarify why Windows XP SP2 is not vulnerable.  The verbiage in the bulletin states that the default setup for SP2 doesn't have any services listening with exceptions in the firewall. We don't have a default setup in that we have numerous services with exceptions in the firewall.  This would infer we are vulnerable.  Is there a patch for Windows XP?

A: An update for Windows XP will not be made available.  By default, Windows XP Service doesn't have a listening service configured in the client firewall and are therefore not affected by this vulnerability.  The DoS attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases.  This makes the severity Low for Windows XP.  Additionally, Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. As the vulnerability occurs within the TCP/IP protocol itself, the update provided does not completely remove the vulnerability; it merely provides more resilience to sustain operations during a flooding attack.  Also, this DoS vulnerability can be further mitigated through the use of NAT and reverse proxy servers. Windows XP is not affected by CVE-2009-1925.

 

Q: Were the patches for MS09-045 KB971961 related to MS09-013 or MS09-038?  The patch download pages listed these bulletins yesterday.

A: MS09-045 is the bulletin corresponding to the JScript vulnerability. There is no connection between the JScript bulletin MS09-045 and MS09-013 or MS09-038. You can refer to those specific bulletins to get more information about the vulnerabilities addressed by those bulletins.

 

Q: Regarding MS09-048: We still use Windows XP and we do not use Windows Firewall. We use a third party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening (such as remote desktop) wouldn't then Windows XP be vulnerable to this? If so, why is there no patch for XP? If not, why not?

A: An update for Windows XP will not be made available.  The DoS attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases.  This makes the severity Low for Windows XP.  Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits. Windows XP is not affected by CVE-2009-1925.

 

Q: Is there still an Extended Hotfix program for the Windows 2000 DST update?  Is there an update to the Windows 2000 OS?

A: Unfortunately, DST updates are not security updates, so we do not have any special knowledge on this.  Windows 2000 is in extended support, so by default it will receive "Security update support at no additional cost" and "Non-security related hotfix support requires a separate Extended Hotfix Support Agreement to be purchased (per-fix fees also apply)" - see: http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle .

 

Q: Under what conditions in the future might a similar decision be made to not patch vulnerability in a supported OS. Microsoft has decided not to patch Windows 2000 for the TCP/IP vulnerability due to infeasibility even though the OS is still supported.

A: An update for Windows 2000 was not provided because the architecture to support the added resilience does not exist on Windows 2000.  We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so.

 

Q: Is Windows XP vulnerable to MS09-048 without the Windows XP firewall?

A:  Yes but only for the two DoS vulnerabilities. The bulletin has been updated to indicate this and the severity for XP is low.

 

Q: In MS09-048 for Windows Server 2003 in a DoS situation: Is a DoS possible on Windows Server 2003 and are there any exploits in wild?

A: We are not aware of any current attacks attempting to exploit this issue.  Windows Server 2003 is affected.  We recommend Windows Server 2003 users apply the update as soon as possible.

 

Q: Several sites are reporting that there is a Metasploit module available for MS09-045. Is Microsoft aware of any publicly available exploit code of MS09-045?

A: No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

 

Q: Can you expand on how Windows XP is vulnerable?  The bulletin makes it look like it IS vulnerable but is protected by the Firewall.  My company doesn't use the Windows XP firewall....

A: The vulnerability addressed in MS09-048 occurs in the TCP protocol itself, so any system with a listening TCP service could be flooded with specially crafted TCP packets.  The system will recover without restarting once the packet flood stops.

 

Q: For MS09-043: If you are using the primary interop assembly in a solution, you must install this update and then rebuild your solution to use the new primary interop assembly and control ID. Does this mean I have to redo the whole program, or just change the control ID? I'm trying to decide if I should install this update on a Windows Server 2003, but not sure what the following statement means:  This security update updates the Office Web Components (OWC) primary interop assembly to use a new control ID.

A: This means that after you install the update you need to re-compile (re build) the solution.   After you rebuild your solution the new interop assembly and control ID will be compiled into your program.

 

Q: For MS09-037: Just to confirm, we will be reinstalling this patch each time there is a new ActiveX control added rather than having a new MS Bulletin number?

A: We do not expect to make additional revisions of this nature to this bulletin. 

 

Q: Will MS09-048 patch not be compatible with Windows 2000 Servers? According to a recent Computerworld article, Microsoft will not provide a patch for Windows 2000 as it relates to MS09-048. Is this true?

A: An update for Windows 2000 was not provided because the architecture to support the added resilience does not exist on Windows 2000.

 

Q: Will the Windows 7 RC patch for Security Advisory 975497 come out online? It's been noticed no Windows 7 patches are out yet.

A: This issue is still under investigation. When an update is made available, consideration for Windows 7 RC will be made at that time.

 

Q: SMB (Security Advisory 975497) page did NOT mention if Windows Server 2003 is affected? Yes or no?  

A: Windows Server 2003 is not affected by this issue.

 

Q: Mitigating Factors shown for Microsoft Security Advisory 975497 states that if the network profile is set to Public then unsolicited inbound network packets are blocked by Default. Is this sufficient protection for the SMB vulnerability?

A: On Vista systems, setting the network profile to "Public" will prevent unsolicited inbound network connections.  This will prevent an attacker from initiating a SMB negotiation session, which is needed to exploit the issue.

 

Q: What determines the JScript Engine version on Windows XP?

A: On Windows XP, the version of JScript.DLL can be determined by both the Windows XP Service Pack and the version of Internet Explorer installed. For instance, Windows XP SP3 will upgrade jscript.dll to v5.7 even if you are using Internet Explorer 6. We advise users to check for the actual version of JScript installed as described in the security bulletin FAQ "What version of JScript is installed on my system?"

 

Q: In advance of the IIS/FTP patch, are there any tools available to scan for the vulnerability? Could a temporary "patch" be released that simply detects the issue?

A: No. Please see the advisory at http://www.microsoft.com/technet/security/advisory/975191.mspx, for affected platforms and settings which you should be aware of when running IIS Ftp Service. The version of FTP Service you are running determines if you are vulnerable and to what extent. See this blog post by the IIS team for clarification: http://blogs.iis.net/wadeh/archive/2009/09/03/understanding-versions-of-the-iis-ftp-server.aspx.

 

Q: The SMB advisory refers to SMB2. Do the affected OS baselines support SMB as well as SMB2 or does SMB2 represent a superset of SMB and therefore replace SMB altogether?

A: The SMB advisory affects SMB version 2 only.  Disabling SMBv2 on Vista/WS08 will protect against this issue by forcing these systems to use SMBv1 instead.  Vista/WS08 supports both SMB v1 and v2.

 

Q: Does MS09-047 replace the Windows Media Services and Windows Media Player 6.4 part of MS08-076 update?

A: MS09-047 does replace MS08-076 for Windows Media Services 9.1 and Windows Media Services 2008 on the supported platforms listed in the bulletin. However, it does not replace MS08-076 for Windows Media Player 6.4, as this application is not affected by the vulnerabilities described in MS09-047.

 

Q: Is there any change about the update pipeline in Windows 7 compared to its previous versions? Is it much intact compared to its previous version?

A: Windows 7 will follow the same update schedules and policies as previous versions of the Windows OS.

 

Q: Has the Microsoft Security Content: Comprehensive Edition been changed to not provide advanced notifications the Thursday before patch Tuesday?

A: We will continue to provide the ANS three business days prior to release Tuesday as usual.

 

Q: Are the TCP vulnerabilities related to the sockstress issues?

A: Yes - CVE-2008-4609 directly addresses the sockstress issue.

 

Q: Security Advisory 973811 "Extended Protection for Authentication" if implemented “degrades performance with SMBv1” and Security Advisory 975497 "Vulnerabilities in SMB Could Allow Remote Code Execution." The workaround currently suggests disabling  SMBv2.  Are there any other versions of SMB in Windows that can be used?

A: Extended Protection for Authentication does not slow down SMBv1, but is not supported on the protocol at all. In Microsoft Security Advisory 973811, we list SMB Signing as an alternative to Extended Protection for Authentication for providing additional protection in specific scenarios. SMB signing can slow down SMBv1 significantly on file service transactions, but roughly maintains the same performance on SMBv2. SMB v1 and v2 are indeed the only SMB versions offered on Windows.

 

Q: Can you point me to the best link/blog that talks to mitigating factors for MS09-048 for windows server 2000? I cannot find it clearly documents in the KB links.

A: The SRD blog at http://blogs.technet.com/srd/ provides additional information.  We will also be revising the bulletin today to clarify these issues.

 

Q: I have Windows XP (32bit) SP3 showing JScript version of 5.6.8820 whereas your bulletin says SP3 machines should have JScript version 5.7.0.1659

A: Windows XP SP3 ships with a 5.7 version of JScript, and upgrades all lower versions to at least that version. We are aware that some 3rd party applications have downgraded jscript.dll to a lower version in the past, if you have a Windows XP SP3 installation with jscript 5.6, you may want to contact support for assistance.

 

Q: For MS09-043, Office XP Web Components, we have a server with Office 2000 and Microsoft Update does not detect this update. I've tried manually downloading it but the patch will not install. The download points to Office XP service Pack3; is there one for Office 2000?

A: At the time of the release of this security update, Office 2000 was no longer a supported platform. Thus a security patch was not released for Office 2000. Please visit Microsoft Lifecycle Support policy at http://support.microsoft.com/lifecycle/?p1=2484.