April 2011

April 2011 Security Bulletin Webcast Q&A

 

Hosts:                   Jonathan Ness, Security Development Manager, MSRC

                                Jerry Bryant, Group Manager, Response Communications

Website:         TechNet/security

Chat Topic:     April 2011 Security Bulletin Release
Date:               Wednesday, April 13, 2011

 

 

Q: Can the Sever Message Block (SMB) attacks protection be done hardware-wise through the Cisco router security protocols?

A: Network devices, such as routers and switches, can be used to block specific port and protocols.  You should check with your device manufacturer to determine the methods for implementing protocol filters.

 

Q: KB 2501696 explained how to implement a workaround pre-MS11-026. This contained a Microsoft Fix-it (50603) to disable the workaround. This has been removed post public release of the update, so is the workaround removal tool going to be made available?

A: Yes. The workaround removal tool is available via the Bulletin KB 2501696. This link is available in the bulletin under the workarounds section.

 

Q: This batch of updates appears to be prompting more than one reboot for clients from our Windows Server Update Services (WSUS) server. Is there a particular combination of updates that could be expected to cause more than one reboot? For example, on both Windows 7 and Windows XP boxes, our change control process requires that I notify them of any departure from normal behavior --- and multiple reboot is enough to get me in trouble unless I can explain it. I know this is a hard question…

A: There's no particular reason for these updates to require multiple reboots. Assuming all of the updates have been approved simultaneously, they should be installed together under a single reboot.

Unfortunately, figuring out what may be going on would require more detailed investigation. You could contact 1-800-PCSAFETY and provide them with the windowsupdate.log file from the machines affected to determine what may be happening.

 

I would also make sure that the updates were approved at the same time. If the approvals were batched, then clients may only see some of the updates at a time.

 

Q: I have a question about MS11-020 - SMB. Is SMB vulnerable on both port 445 and 138?

A: We recommend blocking both TCP 139 and 445 at the perimeter.

 

Q: What is "cooperatively disclosed" as opposed to "publically disclosed"?

A:Cooperatively disclosed” refers to when the finder privately reports vulnerability details to the vendor. “Publicly disclosed” is when those vulnerability details are released publicly.

 

Q: With regard to MS11-033, if I were to open that file in Word, is there still a problem?

A: No, Microsoft Word is not affected.

 

Q: Are updates released via Security Advisories such as  KB2506014 available via the Microsoft Update Catalog today, or do we have to wait until they are released via Windows Update or Automatic Update?

A: The update for the Windows OS Loader is a high-priority update on the Windows Update Web site. On the Windows Update site, it will be listed in the "High Priority" Updates category for customers who have not received the update already and are running the software listed above.  For the Office File Validation update, this will be available on Microsoft Update in the near future (Download Center only for now).

 

Q: I updated my PC this morning (Windows XP PRO/SP3, Office 2003, IE8). After doing this, I'm having an issue with PowerPoint. I open a previously created presentation, and when I try to make an edit, PowerPoint stops responding. Has anyone else reported a problem?

A: There are known issues documented in http://support.microsoft.com/kb/2464588 if your issue is not listed please contact 1-866-PCSAFETY.

 

Q: About MS11-025: Can you give some more details on the vulnerability? Which type of DLL Hijacking is possible? What DLL is affected?

A: Applications built with MFC use the Windows DLL load order to attempt to load the MFC runtime dll. The application's current directory when opening these files is set to the directory from which it was loaded. An attacker could convince a user to open a legitimate file associated with the application built using MFC that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the file, the affected application could attempt to load the DLL file and execute any code within DLL main.

 

Q: Just to clarify, having a firewall does not necessarily mean systems behind the firewall are not vulnerable. In reality, the effects of an exploit would likely not be realized (Specifically in regards to MS11-019 and MS11-020). Correct?

A: Blocking SMB inbound and outbound at the perimeter prevents outside attackers from exploiting vulnerable systems within a domain.  As long as a system is reachable via SMB, they are at risk from exploit.  This included machines within a domain that are not protected by a firewall.

 

Q: Are there any new security bulletins that should be installed prior to Internet Explorer 9?  I have been considering installing Internet Explorer 9 the past couple days and it was one of 3 available updates. Now I notice about 30 new updates for my version of Windows.

A: Internet Explorer 9 is not affected by any of the vulnerabilities addressed the bulletins released this month. It is not necessary to install any of the non-IE bulletins prior to installing IE9.

 

Q: Regarding MS11-025: Is Visual Studio Service Pack required to be already installed in order to install this update?

A: The bulletin clearly calls out the affected product versions with their supported service pack levels.  Each update package is specifically crafted for the product/SP combination listed.

 

Q: When do these updates become available on WSUS?

A: Security updates are released to WSUS as soon as the bulletins go live, regularly scheduled for approximately 10 a.m. pacific time on the second Tuesday of every month.

 

Q: Systems Management Server (SMS) 2003 was a free tool from Microsoft... with all the new tools being upgraded, will there be a free SMS 2003 replacement for smaller SOHO's and small business?

A: There are two points to note here  - Point #1 It needs to be clear that SMS 2003 is not going out of support, however, the SUIT add-on that can be installed on SMS 2003 is going out of support, as well as 2.0.  Point #2 SMS 2003 is not a free product.  You may be thinking of WSUS which is a free product and it will continue to be made available, however the supported version may change as the product is updated.

Q: There seems to be a problem with the Malicious Software Removal Tool (MSRT) on Windows 2008 R2 servers.  Running Windows Update lists it as an important update, but the check-box next to it is not checked by default so it does not get downloaded.

A: This is by design due to the throttling.  It can happen to any update, not just MSRT.  If a package has been downloaded by the time you open user interface (UI), it is checked.  Otherwise it is unchecked.  Users will eventually get the unchecked package.

 

Q: Will MS11-031 correctly patch JScript 5.7 on Windows Server 2003/XP x64 SP2 running IE 6?  This scenario results by manually upgrading the Windows Scripting Host to Jscript 5.7?
A:
Yes - the update should correctly detect the version of JScript installed on your supported operating system.