August 2012

August 2012 Security Bulletin Webcast Q&A


Hosts:                  Jonathan Ness, Security Development Manager

                              Dustin Childs, Group Manager, Response Communications

Website:              TechNet/security

Chat Topic:           August 2012 Security Bulletin Release
Date:                     Wednesday, August 15, 2012

Q: For MS12-058, will the update be made available for all Exchange 2007 and Exchange 2010 servers or only those fulfilling specific roles -such as CAS and Mailbox?

A: The updates for Exchange are delivered as a rollup update and apply to all server roles.

Q: For bulletin MS12-060, say I have SQL Server 2008R2 SP1 and I apply the update. In two months I apply SP2 to SQL 2008R2, does that update become invalid and I have to run the update for SP2?

A: No, after updating to SQL Server 2008 R2 SP2 you will not need to re-apply the security update for this issue.

Q: For SQL 2008 and SQL 2008 R2, both x86 and x64 downloads point to same exe. Is that correct?

A: Yes, that is correct. The single .exe will update either architecture.

Q: I notice there is update for certificate key length update, and am wondering how this will impact on Windows server’s production environment.

A: On all supported releases of Microsoft Windows, the KB2661254 update requires that certificates with RSA keys use 1024 bit key length or greater. Microsoft products or third-party products that call into the

CertGetCertificateChain function will no longer trust certificates with RSA keys less than 1024 bit key lengths. This function builds a certificate chain context starting from the end certificate going back, if possible, to a trusted root certificate. When the chain is validated, every certificate in the chain is inspected to ensure that it has a RSA key length of at least 1024 bits in length. If any certificate in the chain has a RSA key less than 1024 bits in length, the end certificate will not be trusted. For a complete list of scenarios on how this update will block the usage of RSA keys less than 1024 bit key length, please see the Microsoft Knowledge Base Article 2661254.

Q: Since Windows 8 RTM is now available on TechNet/MSDN, will Windows/Microsoft Update currently offer updates to products installed on OS such as Office 2010, MSRT, etc. or will this be implemented after the official October launch?

A: All updates that are applicable to Windows 8 RTM are already available on Windows Update. Updates for Office 2010 and MSRT will be offered to customers running Windows 8 RTM.

Q: Can the advisory (KB 2661254 - Update For Minimum Certificate Key Length) be installed for testing and easily uninstalled if it causes unforeseeable problems?

A: Yes, it can be uninstalled. It can also be configured to help troubleshoot and identify the use of certificates less than 1024 bits in length. For more information, please see the KB 2661254.

Q: I use WSUS for patching and noticed that a feed of my servers downloaded the Internet Explorer update and installed causing a reboot. None of the other updates were downloaded or applied. Is this a configuration problem or is the update automatically approved.

A: The thing to do is check on the status of the update in WSUS Reports.

You can use Reports in Windows Server Update Services (WSUS) 3.0 SP2 to monitor the WSUS network, including updates, client computers, and downstream servers. If a WSUS server has replica servers, you can roll up client status information for the replica servers to the upstream server.

You can generate update reports from the following areas of the WSUS administration console:

1. General reports on the Reports page.

2. Reports about specific updates. (Right-click the update (or go to the Actions pane) and click Status Report.)

3. Reports on specific computers. (Right-click the computer (or go to the Actions pane) and click Status Report.)

Q: In MS12-060 all links related to SQL Server take you to a MS Office update. Is this a SQL Server fix or actually MS Office?

A: That is correct, when you install SQL analysis services it installs Office Web Components (OWC). The Office bulletin will update the OWC controls that SQL uses.

Q: Regarding Security Advisory 2661254 will this impact DES/AES/SSL or other types of encryption?

A: Update is applicable only to certificates that use RSA. SSL will be affected if RSA is used. See KB2661254 for full details.

Q: Will the current version of MBSA support Windows 8?

A: No, the current version of MBSA will not support Windows 8 and Microsoft currently has no plans to release an updated version of the tool.