Monthly Security Bulletin Webcast Q&A - August 2010
Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Group Manager, Response Communications
Chat Topic: August 2010 Security Bulletin Release
Date: Wednesday, August 11, 2010
Q. I have a server that Microsoft Baseline Security Analyzer (MBSA) detects as needing MS10-056 KB2277947. When I manually installed the update, the update installed, but the 3 files listed by Microsoft as being affected are not present on the server. They were also not present on the server prior to the update being installed. Could there be a detection issue in MBSA?
A. MBSA detection is authoritative and correct – and is the same detection used by Microsoft Update. There are likely still potentially vulnerable files on the machine for which the update still needs to be applied. Please review the bulletin as well as confirm in the Installed Programs control panel applet to confirm additional versions of Office that may be vulnerable are installed.
Q. Where can I find the meanings of the codes found in the Max Impact column?
A. The answers for the abbreviated information in the Max Impact column of the Deployment Priority slide are:
Remote Code Execution (RCE)
Elevation of Privilege (EOP)
Denial of Services (DoS)
Additional information regarding these ratings can be found in the Microsoft Security Update Guide. You can download a copy at - http://www.microsoft.com/downloads/details.aspx?FamilyID=c3d986d0-ecc3-4ce0-9c25-048ec5b52a4f&displaylang=en
Q. Local companies are getting flooded with bogus emails with fake .zip attachments. I think that these attachments contain spyware or malicious web sites links. Any idea what is going on?
A. This is probably spam being sent automatically, and is not specifically related to any of our bulletins. We recommend making sure you have up-to-date spam filters installed, and to not open any emails that appear suspicious. If you believe you have a new virus, you may submit a sample to the MMPC at http://www.microsoft.com/security/portal/
Q. MS10-047 replaced MS10-021 which did affect Windows 2003, yet your slide indicates that this does not affect Windows 2003. How then is it a replacement for that update?
A. This update replaces MS10-021 only on those platforms as listed to do so in the security bulletin. The bulletin lists it as replacing MS10-021 for all supported versions of Windows XP, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. MS10-047 does not replace MS10-021 for Windows Server 2003, as it is not affected by the new vulnerabilities.
Q. Regarding MS10-056 are there any prerequisites for Microsoft Office 2003 or for Office Viewer 2007? Also, are there updates that are required to have been installed prior to installing this update?
A. Prerequisite information is indicated in the Knowledge Base articles for the updates; please refer to KB2251399 and KB2251437, respectively.
Q. What are the additional releases after the August 2010 advisory name Microsoft Security Advisory (977377) and Microsoft Security Advisory (2264072) for?
A. Security Advisory 977377 was released in February of 2010, and included a workaround package to address the vulnerability in Transport Layer Security/Secure Sockets Layer TLS/SSL. This security advisory has now been deprecated since we released MS10-049, which has the final security update to address this issue. Security Advisory 977377 is no longer active, and all current information on the vulnerability can be found in security bulletin MS10-049.
Security Advisory 2264072 was released in this cycle to provide guidance on the proper use and limits of the Windows Service Isolation feature, and to release an optional, non-security update that helps address an attack vector through the Windows Telephony Application Programming Interface (TAPI) which could lead to local Elevation of Privilege.
Q. When is Windows 7 SP1 scheduled to be released?
A. Windows 7 SP1 will be available in H1 2010.
Q. We are unable to update to Win XP SP3 due to conflicts with in-house applications. Are we now left out in the cold going forward with regards to security updates? Are there any other avenues to take if we are indeed shut-out?
A. Customers are strongly recommended to upgrade to a supported configuration, such as Windows XP SP3. If this is not possible, customers with a Premier Support contract may have limited other options, and are recommended to contact their account team or their local Microsoft representative for additional information and guidance.
Q. You have mentioned many times running / browsing or using logons with least privilege mode. I understand this statement, however, with many applications (specifically ones written for XP) requiring administrator rights, how is this accomplished?
A. Microsoft continuously updates documentation to help developers write more secure code, and how to achieve everyday tasks without requiring administrative privileges. Over the past several years, we have observed that less and less 3rd party applications require administrative privileges during runtime, and more applications run without requiring administrative privileges.
Yes, we are recommending that users run without administrative rights. On older operating systems such as Windows XP this was not always easy to do in reality – but since Windows XP we released two successor operating systems, Windows Vista and Windows 7, which make running as a non-admin much easier. For example, if you run Windows 7 as a non-administrator, you will be prompted for administrator credentials if an application requires administrative permissions.
Q. Since Microsoft will no longer release an update for Windows 2000, would you suggest decommissioning our existing 2000 servers immediately or is it still safe?
A. Customers are strongly recommended to upgrade to a supported configuration, such as Windows Server 2008 R2. If this is not possible, customers with a premier support contract may have limited other options, and are recommended to contact their account team or their local Microsoft representative for additional information and guidance.
Q. Are there any known issues with any of the August 2010 Security Bulletins?
A. Each Bulletin listed in the August 2010 release lists the known issues in the General Information section if any such issue exists.
Q. In relation to the vulnerability regarding Movie Maker, is it possible for Microsoft to create an uninstall FixIt to remove that component that is not needed in most enterprise environments?
A. Thank you for the suggestion. “Windows Movie Maker” can be uninstalled from systems using “Add/Remove Programs”, or more centrally through our common deployment tools. It can also be disabled in an enterprise environment using Group Policy. At this point in time, no FixIt is planned to automate this uninstall scenario, but we will investigate whether we can make disabling specific components easier for those environments.
Q. For MS10-060, similar to MS10-041, the .Net installation fails during install due to issues with system permission surrounding folder and registry keys. Is there any work in progress to mitigate these issues?
A. The security updates corresponding to MS10-060 have been extensively tested on a variety of platforms; in spite of this a small number of customers may encounter installation issues. In order to debug this issue and identify the root cause we would need the update installation logs as well as specifics about the environment where this issue is being encountered. We recommend you call Microsoft support at 1-866-PCSAFETY and a support engineer will help debug your installation issue.
Q. Following installation of KB2115168, KB982214, KB2079403, and KB2286198, our Multimedia Message Service (MMS) application does not work. The error displayed states that port 1090 is in use. Can you explain this error?
A. Microsoft is not aware of this issue being caused by any of the security updates released on Tuesday, August 10, 2010. Customers who experience specific issues should contact their Microsoft account team for further assistance, or can obtain free security update related assistance from Microsoft Product Support Services by calling +1 (866)PC-SAFETY in the U.S. and Canada.
Q. Does the new Malicious Software Removal Tool (MSRT) eliminate the need to deploy MS10-046 if it has not already been done?
A. The MSRT does not eliminate the need for any of the security updates. The MSRT is only designed to remove malicious software installed on a system, whereas the security updates address vulnerabilities in the system and applications. By not applying the updates, systems are still vulnerable to the listed issues.
Q. Which of the updates would you advise on installing immediately?
A. You should refer to the Microsoft Security Response Center (MSRC) blog or the Security Research and Defense (SRD) blog for our deployment recommendations. For August, we recommend prioritizing deployment of MS10-052, MS10-055, MS10-056, and MS10-060.
Q. Can you explain in more detail how the updates for Silverlight 2.x and 3.x work? For Internet Explorer, will the update for 2.x update Silverlight to 3.x, or an updated version of 2.x? Are the updates for Silverlight 2.x and 3.x actual updates, or are they simply installers for the latest versions of Silverlight?
A. Based on the nature of the technology, most Silverlight applications will require a certain minimum build number and users of these applications would be upgraded by the Silverlight Updater accordingly. The Silverlight updating mechanism is described in more detail in the FAQ section of this Security Bulletin.
Most Silverlight customers will already have the latest version of Silverlight installed on their systems, unless they specifically blocked Silverlight updates in their infrastructure or on the client.
In the context of this bulletin, customers of Silverlight 2 and Silverlight 3 can upgrade to either the latest build of Silverlight 3 which addresses the vulnerability, or upgrade to the latest build of Silverlight 4 which is not affected by this vulnerability.
All Silverlight update packages always install a complete build of Microsoft Silverlight, rather than merely replacing specific files.