October 2011

October 2011 Security Bulletin Webcast Q&A

Hosts: Jonathan Ness, Security Development Manager

            Jerry Bryant, Group Manager, Response Communications

Website: TechNet/security

Chat Topic: October 2011 Security Bulletin Release

Date: Wednesday, October 12, 2011

Q: I’m wondering why the Forefront Unified Access Gateway (UAG) updates are not available through System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS). Are these stand-alone downloads?

A: Because the UAG update requires the UAG administrator to open the management console and activate configuration, the update cannot be installed automatically through Microsoft Update or WSUS. Therefore, the update is available on the Microsoft Download Center for manual download and installation by an administrator. Please see the bulletin for this update for more details.

 

Q: Concerning MS11-078, an you give an example on how an attacker can use CAS bypass to gain access?

A: Code Access Security (CAS) helps limit the access that code has to protected resources and operations.

If a Web hosting environment allows users to upload custom ASP.NET applications, an attacker could upload a malicious ASP.NET application that uses this vulnerability to break out of the sandbox used to prevent ASP.NET code from performing harmful actions on the server system.

For more information about CAS, you can see the MSDN article entitled Code Access Security at

http://msdn.microsoft.com/en-us/library/c5tk9z76.aspx.

 

Q: The current version of WSUS is pretty old. Is a new version coming down the pipe?

A: Unfortunately, we do not discuss future releases of products in this forum.

 

Q: Given that multiple versions of .NET can exist on a machine, is it possible for some versions to be patched, and some to be vulnerable?

A: Yes. When multiple versions of .NET Framework exist on the same system, all versions need to be updated to completely protect a system.

 

Q: Security bulletin MS11-072 was released last month for Excel and resulted in some performance issues. What actions is Microsoft taking to resolve this?

A: We’re aware that some users are experiencing broken links after installing that bulletin and we expect to issue an update at a later date.

 

Q: Question about Security Advisory 2588513: Are there any plans to release a patch for this issue, or are the advisory and the mitigations what will be released?

A: For the issue described in Security Advisory 2588513, Microsoft is currently working to develop a security update. Microsoft will release that update once it has reached an appropriate level of quality for broad distribution.

 

Q: MS11-078 is showing Known Issues, but when I click on the link, the known issues are not there. Will there be an update describing the known issues?

A: The master bulletin KB (2604930) provides a list of the package KBs associated with this update. If there are known issues with a particular package KB, they will be listed in the package KB itself.

 

Q: I noticed that both MS11-075 and MS11-076 are classified as Important. However, those have received Common Vulnerability Scoring System (CVSS) Scores of 9.3 (normally critical). Just need some clarification.

A: Both MS11-075 and MS11-076 require user interaction in order to be exploited. Since there is user interaction involved and no automated path for exploit, we have given these the severity rating of Important. The Critical severity rating is reserved for exploits that do not require user interaction.