Monthly Security Bulletin Webcast Q&A - October 2010
Hosts: Jerry Bryant, Group Manager, Response Communications
Jonathan Ness, Principal Security SDE Lead, MSRC
Chat Topic: October 2010 Security Bulletin Release
Date: Wednesday, October 13, 2010
Q: I pushed one of the .Net security updates (3.5) for this month on one of my test SQL boxes, and it hung. Have you gotten any other reports about that?
A: We did not release an update for the .NET Framework 3.5 or 3.5 SP1 yesterday, so I am assuming you are referring to the out-of-band security update for ASP.NET released 2 weeks ago. This response is in that context. We are not aware of a "hang" type issue after installing the security update for the ASP.NET vulnerability. We would recommend you call customer support. They should be able to help debug the issue and identify the root cause.
Q: Maybe I missed it but did you talk about KB2158563? My WSUS didn't seem to download it.
A: This KB does not refer to a security update, so we cannot comment on it.
Q: If I install any security updates related to Internet Explorer, will there be an issue with any other browsers?
A: Updates for Internet Explorer will not have an effect on third-party browsers.
Q: Regarding MS10-083, if WordPad was not available, would either of the updates in the bulletin be available to host?
A: WordPad is available by default in Windows. The Windows shell update is also available for all systems newer than Vista or Server 2008. Vista or newer systems will require both of the updates that are offered in bulletin MS10-083.
Q: I am running Windows clustering on a Windows Server 2008 system. Would MS10-086 need to be applied or only on Windows 2008 R2 editions?
A: Every bulletin has a non-affected software list to help customers understand whether a bulletin is applicable to them or not. In this specific case, Windows Server 2008 is listed in the non-affected list. So no, you do not need to install this update on MS10-086. Only customers of Windows Server 2008 R2 need to install this update.
Q: How much regression testing has been done with the .NET updates, considering the variety and number of .NET applications out there?
A: All .NET Framework security updates go through a broad spectrum of testing including functional testing of the fix itself, regression testing, Performance, Application Compatibility testing, and Deployment testing. Additionally we test .NET Framework updates against several of the larger Microsoft products including SharePoint, Exchange, SQL, and so on to ensure that a change in the .NET Framework does not break anything in these other products. Finally, we test the deployment of the packages themselves to ensure the updates install on a wide variety of hardware, OS platforms, architectures, and so forth.
Q: Is MS10-077 related to the MS10-070 out-of-band (OOB) update at all?
Q: I am hosting a secure site for payments. Will the security updates have any effect on the Secure Sockets Layer (SSL)-based payment gateways?
A: The SSL security update (MS10-085) fixes a denial of service vulnerability that can take a machine down while it is in the middle of an SSL handshake. We recommend you install this update, especially if your business requires SSL.
Q: In MS10-074 is the list of third party products that expose the vulnerability published somewhere?
A: Given that this vulnerability affects an application framework (Microsoft Foundation Classes), we recommend that customers install this security update to fix the underlying vulnerability. This way, they will be protected against all attack vectors, including those found in the future.
Q: Regarding MS10-079 and MS10-080 - Does the update require Word/Excel/Office Service Pack 3 to be installed? Does the update apply to all Service Packs for Word and Excel?
A: Service Pack 3 is required for Office XP and Office 2003, as previous versions are out of support. For Office 2007, SP2 is required for the same reason.
Q: Does MS10-072 affect Small Business Server?
A: Windows SharePoint Services is included as part of Small Business Server and will be offered the update.
Q: Do we need to be concerned about Access Control Lists (ACLs) or security on Shared Cluster Disks that have been created prior to the release of MS10-086?
A: Yes. After applying the update, administrators will need to check the permissions on existing cluster disk administrative shares and set the proper access levels for their specific environment. This question is covered in the FAQ section of the bulletin under "Will this security update correct permissions on existing shared cluster disks?”
Q: Regarding Microsoft Security Advisory 2269637: Will this advisory be resolved via updates for Microsoft products that load libraries insecurely?
A: We are investigating the vulnerability and where applicable we will provide updates to resolve the vulnerability and address attack vectors that may leverage this issue.
Q: For MS10-076, is it possible to completely disable font download as mitigation?
A: The workaround in the bulletin includes instructions for disabling parsing on fonts in IE. This will effectively mitigate the issue until the update is installed. A user doesn’t need to download a particular font to be exploited; a malicious font just needs to be hosted on a web site.
Q: Will developers need to recompile their code after MS10-077 update is installed or is this a client problem only?
A: The Just in Time Compiler (JTC) compiles the application during execution (at runtime). So, there is no need for developers to re-compile their code.
Q: The October Microsoft Security Advisory 973811 v1.7 added KB2345886 for Server Message Block (SMB). How do we connect to hardened SMB shares from Windows Pre-installation Environment/ Windows Recovery Environment (WinPE/RE), Windows Phone/Mobile, Macintosh and Linux clients?
A: You can find that reference in a TechNet article entitled Managing Permissions for Shared Folders at http://technet.microsoft.com for details.
Q: Many of the links to KB articles describing issues in detail (including Known Issues) were not available yesterday. What can be done to assure links are correct and content is available?
A: There was an issue in publishing some of the KB articles yesterday, but these should all be live by now.