July 2011

Hosts:                 Dustin Childs, Senior Security Program Manager, MSRC
                             Jerry Bryant, Group Manager, Response Communications
Website:            TechNet/security
Chat Topic:        July 2011 Security Bulletin Release
Date:                   Wednesday, July 13, 2011

Q: Is Microsoft aware of the very detailed analysis of how MS11-056 could be exploited? 
A: Yes. The vulnerability described in the analysis is fully addressed by MS11-056.

Q: Why is the Microsoft Office File Validation add-in listed under security updates but not listed as a security update?
A: Office File Validation is a mitigation rather than an update. Updates address specific vulnerabilities, while a mitigation protects against types of vulnerabilities – even if specific vulnerabilities of that type aren’t yet known.

Q: Why does the Windows Server Update Service (WSUS) system list updates that are not security but list them as security updates, when they are truly just updates?
A: The customer may be getting confused by the Critical and Security Updates heading in WSUS. Critical Updates is a Windows Update (WU) classification and is not to be confused with the Critical Severity rating of a Bulletin. A Critical Update is not a Security Update.

Q: We had an issue with KB2494088 last month which stopped the SQL service on our SQL boxes. Was this a known issue, and do we have any similar update this month?
A: This is a known issue for systems that have an instance of Microsoft SQL Server 2008 R2 that hosts a User Control Point (UCP), and it is documented in KB2163980. The issue was first found with "Cumulative update package 1 for SQL Server 2008 R2".
There are no SQL updates this month; however, there are known issues that are documented with MS11-053 and MS11-055. MS11-053 requires a non-security listed in KB2552343, and this requirement may cause multiple reboots on Windows 7 systems. MS11-055 is for Visio 2003 SP3 and may be offered to Office 2003 systems without Visio installed. See the bulletins for details.

Q: Are mobile phones vulnerable?
A: Assuming that this question is regarding the Bluetooth bulletin MS11-053, the answer is no.

Q: Haven't directional yagi antennas been used to hack Bluetooth vulnerabilities from a distance of up to 1 mile before?
A: Yes., MS 11-053 addresses this scenario for the Bluetooth vulnerability described in the bulletin.

Q: Does MS11-055 apply to Visio Viewer?
A: No, Visio Viewer is not affected by this issue.

Q: If Windows Server 2008 RTM is retired, does that mean it is still supported with service packs?
A: No. Currently released Service Packs will install over Windows Server 2008 RTM. If we were to release a new Service Pack for this platform in the future, it would not install on Windows Server 2008 RTM. The correct path would be: RTM > SP2 > SP. Note that the first Service Pack for Windows Server 2008 RTM was Service Pack 2. For more information on product lifecycles please see the Windows Lifecycle Fact Sheet page.

Q: Microsoft Office File Validation was released last month via AU, but requires admin approval to install. Can a registry key be set on individual systems to allow automatic install (no WSUS server) via AU?
A: Without using WSUS there is no way to bypass the user interaction required to accept the End User License Agreement (EULA). As you may know, WSUS will allow you to accept this for all users in your environment eliminating user interaction.

Q: A couple of months ago, the Malicious Software Removal Tool (MSRT) was updated twice in one month, and explanation was provided via the webcast. However, KB articles are not updated with this information- KB891716, KB890830, and V3.18.4804 is not listed in KB890830.
A: We have an in-house repro of an issue in which an old MSRT package and the new MSRT package were offered during the same month. This was due to a misconfigured WSUS server where the WSUS admin allows external access to WU/MU. In this case, the user is being offered the MSRT update through two channels which are not exactly in sync. The issue will go away eventually when WSUS is up to date.

Q: When installing the MS11-055 patch on a machine that does not have Visio installed, why does it not quietly error out instead of prompting the user for input?
A: When using the quiet switch, no user interface will be shown to the user. More information on the switches can be found here If you are experiencing issues, please feel free to contact support at 1-866-PCSafety.

Q. The Office File Validation add-in is causing slow opening of Excel files over the network from Office 2003. Are there any plans to address this?
A: Yes, we are aware of the issue of slow-opening files over the network. We are looking into the issue and will be providing an update to help alleviate some of the performance issues being experienced over the network.

Q. Why was KB973688 downloaded yesterday when it is not included in the July bulletins?
A. Microsoft originally released KB973688 on November 23, 2009. It is a non-security update for Microsoft XML Core Services 4.0 Service Pack 2, and was not released as part of Microsoft's July security bulletin release.