Microsoft Security Response Center

The Microsoft Security Response Center (MSRC) identifies, monitors, responds to and resolves security incidents and vulnerabilities in Microsoft software.
April 2012

April 2012 Security Bulletin Webcast Q&A

Hosts:             Jonathan Ness, Principal Security Development Lead, MSRC
Pete Voss, Senior Response Communications Manager, Trustworthy Computing
Website:         TechNet/security
Chat Topic:    April 2012 Security Bulletin Release
Date:               Wednesday, April 11, 2012


Q: Will applying MS12-027 require a restart of our SQL Server instances?
A: Installing MS12-027 may cause a reboot of your SQL Server instance.

Q: SP1 for Windows 2008 R2 and Windows 7 is showing up this month in Windows Update. (A block we had in place has apparently expired). Once SP1 has been applied and the machine rebooted, RDP sessions into the machine immediately disconnect. The only way to log back into the machine is via the console. Is this a known issue with SP1?
A: Yes, this is currently documented in the known issues section of KB 2667402. After you install security update 2667402 on a computer that is running Windows 7 or Windows Server 2008 R2, and then install Service Pack 1 (SP1) for Windows 7 or Windows Server 2008 R2, the binary version of Rdpcorekmts.dll is 6.1.7600.16952 and not 6.1.7601.17514. In this scenario, you may be unable to create a remote desktop session to control the Windows 7 or Windows Server 2008 R2-based computer.

Q: Is there a dependency among these updates?
A: No, there are no dependencies between these updates.

Q: Would it be typical for systems to take longer after the restart installing MS12-025? Is the system doing .NET-related work on the restart before the user logon is presented?
A: When a .NET update is installed, it queues up a NGEN task for the regeneration of native images. This is an asynchronous operation and runs in the background. After the update is installed and the machine is rebooted, you might notice CPU activity after you see the background processing. This is expected behavior and you can continue using your machine while the NGEN process runs in the background.

Q: We are using Forefront UAG, but in our environment at this time, only to publish one application using an HTTPS trunk. Are we affected by the vulnerability described in MS12-026?
A: Yes, you are potentially affected by the information disclosure vulnerability. We recommend you install this update to mitigate a potential external access to UAG resources.

Q: Once MS12-024 is installed and strict verification is enabled, will this break older signed downloads from the Microsoft Download Center?
A: No, the updates to the Windows Authenticode Signature Verification function only have an effect on 3rd-party executables that do not comply with the Authenticode specification or append data to the end of the file after the file has been signed. For more information, please see the Known Issues section of KB article 2653956 

Q: What is the possible impact on SQL 2008 R2 when installing MS12-027?
A: Installing MS12-027 onto your SQL Server may cause a reboot if the component is in use during the update process. The component that is being updated by this bulletin is Office Web Components, which is installed with Analysis Services. 

Q: I use WSUS 3.0. Detection & Deployment indicates that MS12-027 is available. I am unable to locate Commerce Server, Fox and VB 6 updates. Which products and/or classifications need be selected to download these updates?
A: We are not sure about the Commerce Server specifically, but updates for VB and FoxPro are only available through Download Center. Since the affected binary is a shared component across multiple Microsoft Office products, the update is applicable to your installation of Microsoft Office if Microsoft Update detects that the vulnerable version of the Windows Common Controls is present in your installation. The update targets specific versions of Microsoft Office, not specific Microsoft Office components. 

Q: Are all Forefront products affected by MS12-026?
A: Only Forefront UAG is affected by this issue. Other Forefront products are not affected. 

Q: The FAQ for MS12-027 has two questions that reference ActiveX controls, but the article does not provide info or installers around that. Is there an update installer for ActiveX controls?
A: MSCOM control is a shared ActiveX control. The update is to the control that is shared by multiple applications on the system. If a third party application packages an old version of the component instead of using the systems’ shared ActiveX control, the third party will have to download the updated ActiveX component to distribute with their application. 

Q: Regarding MS12-027, the Affected Software section in the bulletin mentions SQL 2008 and SQL 2005, however in the Software Updates repository MS12-027 does not list either of these affected as applicable. Am I missing updates within the repository for MS12-027?
A: By default, supported versions of Microsoft SQL Server 2005 and Microsoft SQL Server 2008 default installations include the Windows common controls. Microsoft Update will automatically detect and deploy the Windows common controls packages to supported versions of Microsoft SQL Server 2005 and Microsoft SQL Server 2008. The update packages that apply to SQL Server 2005 and SQL Server 2008 are the same packages that apply to Microsoft Office. See the Affected Software section for more information. 

Q: Could you provide more details on the vector involving SQL Server and MS12-027?
A: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. This can include compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content designed to exploit this vulnerability.

In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes them to the attacker's website. Then, specially crafted web content could be used to exploit the vulnerability on affected systems.

Q: Can you elaborate on using JavaScript blocks as part of the address bar?
A: Internet Explorer prevents the copy and paste of strings starting with "javascript:" directly in the address bar. With MS12-023, this defense-in-depth measure is improved and it also stops possible variants of this social engineering attack.

Q: When installing .NET updates from SCCM or manually, we have seen errors appear. Does a newer version of .NET get installed with the update if it is not present, or will the update not install if the version of the update is not present?  For example, if I have .NET version 2.0 installed and try to install the .NET 4.0 update, will it be ignored or updated to version 4.0?
A: The update from MS12-025 will only be offered for installed .NET version. The update from MS12-025 will not install a new version of .NET on the system.