Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hello again. This is Jerry Bryant letting you know that the questions and answers from the December 2009 security bulletin webcast have now been posted here.
There is one question that I wanted to provide a little more information on and that references reports of KB973917 causing problems with Internet Information Services (IIS) 6.0 running on Windows Server 2003 SP2. There are scenarios where the system can be in a state where the correct core IIS .dll files are not in place. This may be the case if SP2 did not install correctly or if IIS 6.0 was installed on the system from a Windows Server 2003 Gold or SP1 CD after SP2 was installed. KB2009746 has more information on this and how to resolve the issue which is to essentially reinstall SP2 to get the right binaries on the machine.
To be clear, KB973917 references a non-security update that implements Extended Protection for Authentication in IIS. This is part of our overall work to address credential relaying attacks on Integrated Windows Authentication as described in Security Advisory 974926 that we released on Tuesday. The updates in question are not addressing vulnerabilities and I just wanted to clarify that point. To learn more about this work, please read the advisory and also this excellent blog post by Maarten Van Horenbeeck from the MSRC: http://blogs.technet.com/srd/archive/2009/12/08/extended-protection-for-authentication.aspx.
At this time, our Customer Service and Support group are not reporting any major issues with this month’s bulletins. If you do experience any issues obtaining or installing security updates, please visit https://consumersecuritysupport.microsoft.com for some great trouble shooting tips as well as various support options. You can also call 1-866-PCSafety (1-866-727-2338) in the US. For more regional contact numbers, please visit http://support.microsoft.com.
The video below is from the webcast where Adrian Stone and I went in to detail on each bulletin. As we have been saying, MS09-072 should have the highest priority this month. Especially for users of IE 6 and IE 7.
Our next webcast is scheduled for January 13 at 11:00 a.m. PST (UTC -8). Click HERE to register now.
*This posting is provided "AS IS" with no warranties, and confers no rights*