June 2011 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager
Jerry Bryant, Group Manager, Response Communications
Chat Topic: June 2011 Security Bulletin ReleaseDate: Wednesday, June 15, 2011
Q: Were delta patch versions of the Malicious Software Removal Tool (MSRT) V3.20 available this month, or only the full versions? The Microsoft Update Catalog only has the full versions available for download.
A: Yes, a machine gets either full patch or delta patch based on our optimized logic. The end result is the full version of MSRT and Microsoft Update (MU) catalog shows only a single MSRT update.
Q: Is the MSRT a cumulative update, or do I need to approve each month's updates on my Windows Server Update Services (WSUS) server?
A: It is a cumulative update. Approving the latest update is sufficient.
Q: Does MS11-049 also affect the Microsoft XML Notepad 2007? (see http://www.microsoft.com/downloads/en/details.aspx?familyid=72d6aa49-787d-4118-ba5f-4f30fe913628&displaylang=en )
A: No - this product is not affected by this issue.
Q: Is that update for the Office 2007 through the Exchange Server or does it need to be installed client-side?
A: There are no updates that affect Exchange server this month. The updates that affect Office 2007 are MS11-045 for Excel and MS11-049 which has an InfoPath variant -- these need to be installed on client systems that have the affected products installed, and again they do not affect Exchange Server.
Q: You described how Office File Validation is in Office 2010 but can be installed for Office 2003 and 2007. Does that need to be installed on the Exchange Server side or on the client-side?
A: Office File Validation is a client based solution. Details on how to set it can be found at http://support.microsoft.com/kb/2501584 .
Q: MS11-039 and MS11-044 are both .NET Framework updates. Why are there two separate updates?
A: These updates address different issues within different components of the .NET Framework. It was unfeasible to address these separate issues with a single update.
Q: Does Microsoft Security Bulletin MS11-049 apply to SQL Server 2005 Express SP2? I know we need to upgrade to SP3 to be the most updated, but I would like to know if this single update applies.
A: Server 2005 Express SP2 is no longer in support, so we cannot comment on it. You are correct that you need to be at Server 2005 Express SP3 or SP4 to obtain an update.
Q: MS11-049 is an information disclosure issue. Could it be used to read data from a SQL database?
A: It would be possible to read information from a SQL database file if a user opens a specially crafted web service discovery file. The information disclosure would allow an attacker to read data from a file located on the target system.
Q: For the SQL Server patches in MS11-049, are there any plans to publish a list of other fixes included in the updates? Several customers have already asked me about what else is in the update, since the build numbers of sqlservr.exe jumped so much.
A: All Quick Fix Engineering (QFE) updates do include all previous QFEs that have shipped so far. There are no unpublished QFEs. The General Distribution Release (GDR) update has only the security related updates thus far.
Q: Last month's webcast mentioned that there was a problem with certificates. Could you please elaborate on that? This past month I've had a few users complain that they could not get to websites such as cnn.com, and the event log said it was traced to old certificates.
A: Yes. On May 10th, Security Advisory 2524372 Fraudulent Digital Certificates Could Allow Spoofing was updated to announce the release of an update for Mobile 6.x devices. Please see the advisory http://www.microsoft.com/technet/security/advisory/2524375.mspx for more details on which sites were affected. This update would not have had an effect on cnn.com.
Q: Please define latest software vs. older software. Which operating systems are older?
A: Latest software refers to the most recent release of the operating system. For Instance, for client-based operating systems, Windows 7 will be considered the latest software, where Windows Vista and Windows XP would be referred to as older software.
Q: For MS11-049, I see this mostly as a client issue on a workstation as that is where Visual Studio is used. Could the information disclosure happen on the SQL Server instance itself when someone is connected to the SQL Server instance?
A: No. To be affected by this issue, a user would need to open a specially crafted Web Service Discovery (.disco) file with one of the applications listed in the Affected Software table.
Q: Is MS11-051 compatible with Certificate Services Web Enrollment Vista update for Server 2003 (KB922706)? #MSFTSecWebcast
A: Yes, MS11-051 is compatible with and will update Windows Server 2003 servers that have KB922706 installed.
Q: What is the Group Policy Object (GPO) that can be used to mitigate MS11-045?
A: The GPO object and the details on how to set Office File Validation as a workaround for MS11-045 can be found at http://technet.microsoft.com/en-us/library/gg985445(office.12).aspx .
Q: Regarding MS11-049, does this also affect the Microsoft XML Notepad 2007?
A: No. Microsoft XML Notepad 2007 is not affected by this issue.
Q: I think you misspoke about the re-release of MS11-025. If you look, the KB says we DO need to re-apply... the binaries changed.
A: That is correct -- you do need to re-apply this update to ensure the known issues are addressed by the updated release.
Q: How can you tell if your version of Internet Explorer (IE) is operating in Enhanced Security Configuration? Are there registry keys or anything like that?
A: All Windows Server installations started by Windows Server 2003 have Enhanced Security Configuration enabled by default. There are two URLs with further information for checking you’re system’s configuration. Those URLs are listed below:
Please review http://msdn.microsoft.com/en-us/library/ms537180(v=vs.85).aspx and http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx.
To check if your system has Enhanced Security Configuration enabled, check the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, if the IEHarden value is 1 ESC is enabled, is the value is 0 or the key is missing, ESC is not enabled.