September 2011

September 2011 Security Bulletin Webcast Q&A

Hosts:          Dustin Childs, Sr. Security Program Manager

                     Jerry Bryant, Group Manager, Response Communications

Website: TechNet/security

Chat Topic: September 2011 Security Bulletin Release

Date: Wednesday, September 14, 2011

Q: For MS11-070 (KB2571621), it says, "The vulnerability could allow elevation of privilege if a user received a specially crafted Windows Internet Naming Service (WINS) replication packet on an affected system running the WINS service." The description of the bulletin does not say how the system gets affected.

A: This is a local elevation of privilege vulnerability that is due to the way the WINS server improperly processes a sequence of specially crafted packets received on the loopback interface. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability by sending specially crafted packets to the loopback interface, allowing the attacker to take complete control over the affected system.

Q: Has anyone reported any detection issues on 2008 servers? Ran Microsoft Baseline Security Analyzer (MBSA) and it didn't show any as applicable, which is not right.

A: Server 2008 RTM/SP1 reached End of Support on July 12, 2011. There are no security updates for these products available. However, Server 2008 SP2 is in public support, and MBSA will report applicable updates on Server 2008 SP2.

Q: Is it true that by turning on Windows Updates, servers and desktop machines reboot?

A: Updates often require a system restart to complete their installation. The Windows Update Product Team has written about Windows Update and automatic reboots, and you can see a blog post that digs into the issue at http://blogs.technet.com/b/mu/archive/2008/10/02/windows-update-and-automatic-reboots.aspx 

Q: I tried to install Security Advisory 2616676 using System Center Configuration Manager (SCCM) by downloading it manually, but it is not running on the target computer (it is in the taskbar running for a long time). Is it because of something you said about first installing Security Advisory 2607712? This is for Windows 7 and Windows Vista.

A: On Windows Vista and Windows 7, administrators need only install Security Advisory 2616676.

Q: On Windows 7 or Windows Server 2008, if you install Security Advisory 2616676 and Security Advisory 2607712 will it cause any problems? I know both are required on XP and 2003, so should I just push both to all systems?

A: On Windows 7 and Windows Server 2008 you can install both Security Advisory 2616676 and Security Advisory 2607712 without affect to the other. 

Q: Is the update Security Advisory 2616676 likely to be superseded in the next few days?

A: We will be updating Security Advisory 2607712 for XP/2003 to make it properly supersede previous updates and protect cumulatively.

Q: Presuming a bit of time before applying any updates, do you recommend immediately removing all DigiNotar certificates out of IE browsers?

A: Yes, Microsoft recommends customers running Microsoft Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, users should install Security Advisory 2616676. Customers running Microsoft Windows XP or Windows Server 2003 should install both Security Advisory 2607712 and Security Advisory 2616676 

Q: Do all the Office updates this month pertain to all Office 2010 versions?

A: Yes. The Office updates pertain to all versions of Office 2010 -- Standard, Professional, and so forth.

Q: Will Microsoft Security Advisory 2607712 be made available in SCCM and be deployed as a security update?

A: Security Advisory 2607712 will not be offered in SCCM. Administrators can take the Download Center packages and roll it into their deployments manually.  

Q: With MS11-074 if we have Internet Facing SharePoint sites, what is our level of exposure? I'm not sure I understand how this is exploited. Is it more if someone had their own SharePoint site that was malicious, they could infect a browser to the site or if a SharePoint site does not have the update, an attacker could gain access to the SharePoint server itself?

A: MS11-074 addresses XSS vulnerabilities. These vulnerabilities could be leveraged to execute un-trusted script on the browser of the authenticated SharePoint user. CVE-2011-1892 could allow information disclosure of files on the SharePoint server by an authenticated SharePoint user. This example would be a server attack directly against the SharePoint server.

Q: Is there any dynamic blacklist/kill-switch technology in current Microsoft products to block (current/future) compromised untrusted root CA certificates without needing to send out continuous Microsoft security updates?

A: Yes, Microsoft takes advantage of various technologies including OCSP, CTL, and CRL updates on various releases of Microsoft Windows. In order to ensure that all customers are comprehensively protected in all scenarios, and that every release of Windows receives the update, we released an update that adds the certificates to the Microsoft Untrusted Certificate store. Customers are comprehensively protected because after the update is installed, users will be protected from accessing sites signed by fraudulent DigiNotar Certificates. 

Q: Has MS11-071 info been shared with the creator of HyperTerminal, Hilgraeve? May HyperTerminal Private Edition might also be affected?

A: Hilgraeve’s original HyperTerminal product was licensed by Microsoft for inclusion with several versions of Windows, from Windows 95 to Windows XP. Windows Vista and Windows 7 do not include that code, though the name remains. MS11-071 addresses the code as contained in Windows XP SP3, the last version to include the code. Since the issue addressed in MS11-071 is publicly known, users of HyperTerminal PE are advised to contact Hilgraeve for information on updates to that software.

Q: Why does Security Advisory 2607712 show in SCCM as being superseded by Security Advisory 2616676 for XP?

A: Microsoft is investigating the supersedence of Security Advisory 2616676 and Security Advisory 2607712. To be fully protected, customers should ensure Security Advisory 2607712 and Security Advisory 2616676 are installed on all releases of Microsoft XP and Windows Server 2003. Customers can download Security Advisory 2607712 on the Download Center. 

Q: Why has Security Advisory 2616676 not been issued with an MSRC number given the severity of the vulnerability?

A: Security Advisory 2616676 is not contained in a bulletin because it is not considered a vulnerability in a Microsoft Product.

Q: Security Advisory 2607712 is no longer available in SCCM for XP, nor is Windows Server 2003, how do we deploy it?

A: Windows XP and Windows Server 2003 customers that want to install Security Advisory 2607712 update should download the update via the Download Center.