May 2011

Hosts:

Hosts: Dustin Childs, Senior Security Program Manager, MSRC

Pete Voss, Senior Response Communications Manager

Website: TechNet/security

Chat Topic: May 2011 Security Bulletin Release
Date: Wednesday, May 11, 2011

Q: Why was the April Malicious Software Removal Tool (MSRT) re-released? Also both KB890830 and KB891716 were not updated, including the GUID value data to determine if it was run.

A: In continuation of our support for the takedown activities on the Win32/Afcore botnet, we released a second edition of MSRT in April. This edition includes variants of Win32/Afcore released by the criminals behind it at approximately the same time as the previous edition of MSRT.

While MSRT has traditionally been released on the second Tuesday of the month alongside other security releases, we are not tied to this schedule. We can, and will, release MSRT as needed to support takedown activities or other times when the impact will be potentially significant. This additional release is on request and we welcome other requests in the future.

This release also includes some additional enhancements to the MSRT engine for other malware families, which have also been incorporated into definitions for Microsoft Security Essentials and the Forefront products since the last MSRT release.

Q: I noticed that KB 2509470 was recalled on its first issue then today is it re-released and ready to be installed. Previously, it had said not to install it.

A: KB2509470 is not a security update; rather it is a package that gives Outlook the ability to use the EPA method of authentication. The non-security update was originally pulled because it was found to cause printing issues. This is actually installed in the KB article that we are discussing.

Q: Does the MS11-036 PowerPoint update correct the display/corruption problem that was caused by the April update? Specifically, (the issue with PowerPoint 2003) opening a .ppt created in a newer version and using an image as the background?

A: The answer to your question is Yes. You can review the KB article for the known issues related to MS11-036.

Q: KB2464588, an update for PowerPoint 2003, was released in April and caused issues with some PowerPoint files within our enterprise environment. Does KB2535812, released yesterday, replace that update? Does it require that KB2464588 be installed before KB2535812 is applicable?

A: Yes, the May release of KB2535812 does replace the update. You can review the KB article for the known issues related to MS11-036.

Q: For MS11-036, the KB article noted that endpoints with PowerPoint 2007 Service Pack 2 must also apply KB2540162 to be protected from the vulnerabilities described in this bulletin.

I have done a full install of Office 2007 Service Pack 2 and verified that MBSA does not offer it.

A: Thanks for pointing that out. We will change the pre-requisite so it says Compatibility Pack Service Pack 2.

Q: If my WINS server is updated with MS11-035 and a replication partner is not, will replication fail?

A: The update is intended to be compatible across multiple binary versions. If you run into any problems in your environment please call 1-800-PC-SAFETy.

Q: I tried to load MS11-036 on my windows XP SP3 desktop and got a message that it has already been updated. We don't have auto update turned on.

A: We are familiar with this issue and it has been documented in the bulletin KB articles. This message occurs because update KB 2543242 is installed. Office updates are cumulative and this security update includes update KB 2543242.

Q: Will the 'Where's My Update' page for Windows Phone 7 include info on when the revoked SSL certificates mentioned in KB 2524375 will be available?

A: The update for Windows Phone 7 for the SSL issue has started a phased release to mobile phones starting on May 3rd. for more information on this issue please see KB 2524375.

Q: Can you recommend folks install KB 2533552 (out Tuesday) to prevent issues with Windows 7 Service Pack 1?

A: Only install the hotfix offered in KB 2533552 if you run into error message "0xC0000034" when you are attempting to install Windows 7 Service Pack 1. If you are not seeing this error message this update is not required.

Q: Is Windows 7 Service Pack 1 a prerequisite for either of these updates? If not, how soon is it expected that updates will require Service Pack 1?

A: None of the updates that are released this month have a requirement for Windows 7 Service Pack 1. In the future, updates will be released for each supported platform. For example, updates would be available for Windows 7 RTM as well as Windows 7 Servicer Pack 1 as long as both platforms are supported.

Q: A sister company to my customer de-installs April update KB 2509553 because they claim this has caused long waiting time in Office and Outlook. Do you have any comments about this, because I can't find anything official about it?

A: We are unaware of any performance issues related to MS11-030. This said, we encourage anyone with this issue to open a support case and begin an investigation.

Q: According to the bulletin for MS11-035 there is known issue: "If you apply this WINS security update on a Windows Server 2003-based computer that does not have WINS enabled, the update seems to install correctly, and an entry in Add or Remove Programs.” However, in this scenario, the vulnerable files are not updated. The update is not persistent. Therefore, if WINS is enabled later, this security update must be reapplied. Will this be fixed in the future, if so when?

A: This known issue does not affect future deployments of this update. Therefore, this is documented as a known issue and an update will not be re-issued to fix this problem.

When you install the WINS update on a server without the affected binaries (which this known issue covers) there is nothing for the update to update since the binaries do not exist in the system. If at a future time you enable WINS on the system the update will be re-offered and the update will address the vulnerable bits.

The only side effect of this issue is that systems without the WINS service installed can show that the update is installed in Add and Remove Programs when the affected binaries do not exist on the system.