January 2012

January 2012 Security Bulletin Webcast Q&A

Hosts:              Dustin Childs, Sr. Security Program Manager, MSRC
                         
Pete Voss, Sr. Response Communications Manager, Trustworthy Computing
Website:         TechNet/Security
Chat Topic:     January 2012 Security Bulletin Release
Date:               Wednesday, January 11, 2012

Q: According to MS12-007, this security update should upgrade the Anti-XSS V3.1 Library to the latest version, but when we ran the installer on Windows XP SP3 32bit, a new version of Anti-XSS v4.2 Library was installed alongside the existing library. Why are the “AntiXSSLibrary.dll” files not being updated in the Anti-XSS v3.1 library folder? Are the files in the Anti-XSS v3.1 library still vulnerable? 
A: Anti-XSS v4.2 represents the fix for this update. It’s an entirely new version we are releasing just to address this issue.  

Q: Why is MS12-007 not available for enterprise tools to obtain?
A: Simply put, this update is just a new DLL, and just installing it on your system is not going to fully protect you. It will be necessary to re-compile your web applications to use the new DLL, and that’s why it is not being distributed via Windows Update. 

Q: Concerning MS12-001, why was a bulletin issued for this defense in depth feature? Is there a vulnerability in that feature?
A: We released an update because it addresses a flaw in ntdll.dll component that allowed potential attackers to bypass SafeSEH for applications compiled with Microsoft Visual C++ .NET 2003. It is not a design flaw in SafeSEH.

Q: How is Microsoft solving MS12-006, also known as BEAST?
A: Microsoft resolves MS12-006 by splitting the SSL application records in two, forcing the re-randomization of IVs. This way the attacker can't predict the IVs sequence and therefore decrypt the traffic. 

Q: About MS12-001, has Microsoft ever issued a fix for a bypass of a protection mechanism?
A:
This is the first time we’ve released a security feature bypass bulletin.

Q: Regarding last month's MS11-100, specifically ASP.NET 2.0 and 3.5: If that update is being deployed to a load-balanced server farm, is there a way to install the code, but leave it deactivated (for example, via a line in web.config), so that machines that have installed it can continue to be load-balanced with the unpatched machines until a maintenance window opens?
A: Yes, it is possible to deploy the patch while keeping the change deactivated, once all machines have been patched. More detailed information about how you can do this can be found in knowledge base article 2659968.

Q: Can you explain the known issues with MS12-006? With SSL/TLS being critical to web security, can we wait to install the patch?
A: The known issues with MS12-006 are listed in the related KB article. It is possible that some HTTPS implementations don't support our split-record fix; therefore, the connectivity to these webservers may not be successful. The bulletin is not prioritized because there are some pre-conditions that make exploitation of this vulnerability hard. However, it is recommended that you install it.

Q: So, TLS 1.0 will no longer have the vulnerability if we install MS12-006?
A: Yes.  

Q: Does BEAST address all SSL issues or are there others we should be concerned with?
A: MS12-006 addresses the SSL issue described in the bulletin.