Monthly Security Bulletin Webcast Q&A – September 2010
Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Group Manager, Response Communications
Chat Topic: September 2010 Security Bulletin Release
Date: Wednesday, September 15, 2010
Q: Are your Severity and Exploitability Indexes based on lack of defense in depth? If an organization has a number of security layers is this the same index?
A: The exploitability index is based on the likelihood of publicly available proof of concept code being released with 30 days of the bulletin release. The severity and bulletin deployment recommendations cannot account for all defense-in-depth measures that may be used by various enterprises. All customers should use these strictly as guidance when making their own update prioritization decisions.
Q: What product should I have selected on WSUS 3.0 to allow downloading theKB2315011 update? It doesn’t appear in my updates, and I synchronized just a few minutes ago.
A: You would need to synchronize Office/Outlook products. If you require additional assistance with the security updates please contact Customer Support at http://support.microsoft.com , or your regional Customer Service Representative (http://support.microsoft.com/common/international.aspx).
Q: Regarding MS10-061, on a Windows 2003 system, could the vulnerability be exploited by an internal authenticated corporate user if they have access to the shared printers?
A: Yes. The vulnerability in Print Spooler on Windows Server2003 allows for others to run code on the target system with System-level permissions. On Windows Server 2003, print sharing is not available by default. However, if it is enabled, then the service is available to anonymous users and could allow remote code execution in the context of System on the targeted Windows Server 2003 system. The update does not change any functionality to the print sharing service, and so we highly recommend that users who are sharing print services prioritize the deployment of this update.
Q: The September 10 post on SWIBLOG described how to use the Enhanced Mitigation Experience Toolkit 2.0 (EMET) to block the Adobe Reader 0-day exploit. Chats or webcast for additional EMET 2.0 training would be helpful.
A: An online training video for EMET is available at http://technet.microsoft.com/en-us/security/ff859539.aspx
Q: For MS10-065, is there a registry setting to query or an automated way to tell which of the IIS servers in our enterprise have FastCGI enabled or are using authentication?
A: The FastCGI vulnerability exists on Windows Server 2008 R2 and Windows 7, and you can look at the optional components to see if Common Gateway Interface (CGI) is installed. If using oclist.exe, the component name is IIS-CGI. The authentication vulnerability exists on Windows XP and is present if you have the core web server installed. You can use the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\Subcomponents\iis_www=1 for that.
Q: Regarding MS10-069, why are only Chinese, Japanese and Korean configurations vulnerable? Could this attack ever work against English-configured systems?
A: The vulnerability is directly related to double-byte system locales, making the only affected locales Chinese, Japanese and Korean. Note that ALL language versions of Windows XP and Windows Server 2003 carry the vulnerable files, but the vulnerability can only be exploited if the system locale is set to a Chinese, Japanese or Korean language as described in detail in the FAQ section of the MS10-069 bulletin. For example: If you have an English Windows XP configured to a Korean system locale, you are vulnerable. If you have a Korean Windows XP configured to a French system locale, you are not vulnerable.
Q: On MS10-068, the issue allows elevation of privileges. If this was targeted at a domain controller, could this allow elevation all the way up to domain admin?
A: Yes. If this issue is used to elevate privileges – Denial of Service is also possible -- an attacker could elevate to domain admin privileges.
Q: Is it true that MS10-065 affects IIS services, causing it to stop before the fix has been applied?
A: When the update is applied it does not stop the IIS service. If the IIS service is running at the time you apply the update, the update will cause the server to be signaled to reboot.
Q: Kind of off topic, but what is your take on the Enhanced Mitigation Experience Toolkit. Is it basically a Windows Service Whitelist Tool, with regards to the Adobe vulnerabilities?
A: EMET is a great tool for our customers to use for a variety of purposes. EMET is useful for deploying mitigations for a variety of components -- not just Adobe -- prior to software updates being available.
You can see the SRD blog at http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx for further details.
Q: Regarding MS10-068, is this a likely malware vector?
A: While this could be used for malware, the likelihood for Denial of Service (DoS) by using this vulnerability makes it an unlikely candidate. However, this cannot be ruled out as a potential vector.