Hosts: Dustin Childs, Group Manager, Trustworthy Computing CommunicationsJonathan Ness, Principal Security Development Lead, MSRCWebsite: TechNet/securityChat Topic: July 2012 Security Bulletin ReleaseWednesday, July 11, 2012
Q1: The Microsoft Security Research & Defense Blog recently recommended the Microsoft Enhanced Mitigation Experience Toolkit (EMET) for mitigating the known XML Core Services 5.0 issue. Does EMET also protect from exploitation of the current Microsoft Data Access Component (MDAC) vulnerability (MS12-045) when used with Microsoft Internet Explorer 8 and 9?
A1: Yes, EMET does mitigate the MS12-045 MDAC issue.
Q2: Regarding MS12-043, we already have applied the workaround Fix-It from last month. Any issues applying MS12-043 on top of that or we should uninstall the Fix it first?
A2: No, MS12-043 packages and the Fix-It can be applied together. You can uninstall the Fix-It solution, but it’s not required.
Q3: Why are security updates that have no binary changes listed under Critical and non-security updates?
A3: Last month we offered the Automatic Updater for untrusted certificates as an optional non-security update. Yesterday we re-released that update as critical non-security, since with the new releases of Windows we are moving toward that update mechanism for untrusted certificates, and we wanted to have the maximum installation base on previously supported systems as well.
Q4: Regarding Security Advisory 2719662, have the Gadgets that shipped with the OSes (Vista and Windows 7) been evaluated for security vulnerabilities? If a home user is using only the gadgets that shipped with the operating system, are they at risk (provided they did not download or install any additional gadgets)?
A4: Gadgets that were shipped in the operating system have been evaluated for security issues and we have issued security updates for these gadgets in the past. We recommend that users evaluate the use of Gadgets in their environment and are aware of the source of these gadgets. Overall, Microsoft is moving away from the use of Gadgets and Sidebar, and Gadgets will no longer be offered from the Microsoft Gadget Gallery. We are moving towards the direction of Metro apps made available via the Windows Store and recommend that Gadget developers develop desktop applications using this portal moving forward.
Q5: Will the upcoming fix for MSXML 5 (MS12-043) be issued via a new bulletin number, or will it use this existing one?
A5: The pending update for MSXML 5 (MS12-043) will be issued using this existing bulletin number, as a major revision to the bulletin.
Q6: About KB2677070: Automatic Updater of Revoked Certificates: Can this automatic updater of revoked certificates cause my clients to reboot after they're updated with untrusted certificates?
A6: Yes, a reboot may be required.
Q7: As you know MS12-043 has been implemented into the Metasploit frame work. Can Windows Server 2003 or 2008 be exploited via Metasploit via a common open port such as TCP (port 80)? Can Metasploit run IE to run the exploit? Does the SHIM work in this case? Does the OS version matter when Metasploit is used?
A7: Although Windows Servers are vulnerable to this issue, security best practices recommend against browsing from servers. In addition, supported versions of Windows Server contain the Enhanced Security Configuration (ESC) feature, which is enabled by default. Because of this mitigation, for Windows Servers this issue is downgraded to Moderate severity. In addition, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website.
Q8: For MS12-046, what about software that is normally ran from a UNC path that uses DLLs in its own folder? Doesn't this fix have the ability to break those?
A8: No, the MS12-046 update does not affect that way libraries are loaded from the application directory on remote locations.
Q9: Will the August 2012 update (has the KB been picked yet?) invalidating certs with <1024-bit keys be configurable -- blockable, manageable via GPO, uninstallable, and / or overridable for custom internal certs? If it can be configured as blockable, will a blocking tool be provided?
A9: Please stay tuned to the MSRC blog as well as the Windows PKI blog over the next month. We are planning to release more information about this upcoming release to allow customers to prepare for the update. The KB number will be assigned closer to the release date.
Q10: Is there an effective way to verify the functionality of KB2677070? There was a Security Advisory 2728973, released yesterday that talks about Microsoft moving some certificates to the untrusted store. Is using information in SA2728973 a good test, or is there a better way to verify the automatic revocation functionality?
A10: Security Advisory 2728973 describes what to check in the Event Viewer in order to verify that the automatic updater worked properly. The procedure is described in the FAQ section of the advisory.
Q11: Please clarify: Are there already attacks in the wild for MS12-044 (Internet Explorer) or just for MS12-043 (MSXML)?
A11: No, Microsoft is not aware of any attacks in the wild against any of the vulnerabilities documented in MS12-044.
Q12: About MS12-043, it was mentioned that XML Core Services is incorporated in Office. How do I know which version of XML Core Services is being used? I do not see the XML Core Service installed on the workstation.
A12: MSXML 3 and MSXML 6 are installed on all supported versions of Windows. MSXML 4 can be downloaded and installed. MSXML 5 is installed with Office 2003 and 2007.
Q13: Would a DLL-preloading exploit against MS12-046 be successful if the crafted document and DLL were embedded in, and executed from, a zip file attached to an email?
A13: For more information on these types of vulnerabilities, attack vectors, mitigations, and workarounds see Microsoft Security Advisory 2269637. MS12-046 fixes a specific DLL-preloading issue in the affected versions of Office and the Visual Basic runtime.
Q14: Can you please talk about minor detection changes to correct the offering issues? My staff is unable to automatically and or manually install several .NET patches.
A14: In regards to the July 10, 2012 revisions to a number of .NET bulletins, this was done to communicate minor detection changes for some of the packages associated with the bulletins in question.
The minor revisions were published for MS11-044, MS11-078, MS11-100, MS12-016, and MS12-035 to correct an offering issue. No changes were made to the security updates. The minor revisions published for MS12-036 and MS12-050 corrected incorrect information in the security bulletin. Please see the known issues section of each of the KBs to see if there are any issues listed.
There are no changes to the security update files, so systems that have already successfully updated will not need to take any action.The revisions will not cause installs to succeed or fail, as there are no new packages; however some systems may now be offered the updates that were being offered before. If you are manually downloading the update and trying to apply it directly, this scenario is not affected, and if you are experiencing installation failures, you should call support for assistance. Also, please see KB 2698555: Description of the Microsoft .NET Framework repair tool.
If you are still seeing problems with installing these security updates, please engage CSS to escalate this issue. We take the reliability of our security updates very seriously and will investigate and address deployment issues with these.
Q15: Are system readiness tools really needed when using a WSUS-style setup?A15: The System Update Readiness tool is not necessary for WSUS. The System Update Readiness Tool would only come into play if there is a setup problem you are trying to troubleshoot -- for example, an update might not install if a damaged system file prevents the update from recognizing the version of Windows that's running on your computer. For more information, see Knowledge Base article 947821.
Q16: Three related questions concerning MS12-043:
First, it appears that KB2721691 for XML 4.0 only applies to systems with XML 4.0 SP3 installed. Since 4.0 SP3 is newer than KB954430 in MS08-069, it would be inaccurate to say that KB2721691 replaces it?
Second, is it safe to assume that the vulnerability in 4.0 SP3 is probably present in 4.0 SP2?
Third, will Microsoft consider making MSXML 4.0 SP3 a critical update for all systems with XML 4.0 installed (and to advertise it both through MBSA/ITMU and through WU/MU/WSUS), and issuing an advisory informing users that in the interim they need to manually inspect the version of MSXML 4.0 on their systems and update it to MSXML 4.0 SP3 as quickly as possible?
A16: With regard to the first question, MS08-069 is already addressed in XML Core Services 4.0 Service Pack 3, so the vulnerabilities are not present. If XML Core Services 4.0 Service Pack 2 is present without MS08-069, MS12-043 will not apply to this product, and so it will not supersede MS08-069.
With regard to the second question, XML Core Services 4.0 Service Pack 2 went out of support on April 13, 2010, so we are no longer servicing this product. We are also no longer performing security investigations to determine whether a particular vulnerability is present. In order to apply MS12-043, you must first upgrade from XML Core Services 4.0 Service Pack 2 to XML Core Services 4.0 Service Pack 3.
With regard to the third question, XML Core Services 4.0 Service Pack 3 is a Non-Security update, so it cannot be classified as critical. However, it is classified as High Priority and should be automatically installed if the customer is using our automatic updates client recommendations; for more information, see KB311047, “How to keep your Windows computer up-to-date.” XML Core Services 4.0 Service Pack 3 is available through Windows Update, Microsoft Update, Important/Automatic Updates, WSUS, and the Catalog. See KB979198, “Description of Software Update Services and Windows Server Update Services changes in content for 2009,” for details.