September 2012 OOB

September 2012 Out-of-Band Security Bulletin Webcast Q&A

Hosts:                   Jeremy Tinder, Security Program Manager

                              Dustin Childs, Group Manager, Response Communications

Website:              TechNet/Security

Chat Topic:         September 2012 Security Bulletin Release
Date:                    Friday, September 21, 2012
 

Q: If anyone, at any time, would have to reset their browser setting to default, would that impact KB 2744842 in any way?

A: No. There will be no impact.

 

Q: What Knowledge Based Article (KB) will we see in WSUS?

A: For the Internet Explorer Cumulative update addressed in MS12-063, the package/update KB is 2744842. 

 

Q: It was stated that it is the Java 6.0 function in Internet Explorer that is being patched. If you have websites coded in using Java, will they continue to work?

A: For MS12-063, we patched Internet Explorer. The Java and Java updates are owned by Oracle. It’s best to check Oracle’s web site for information on their updates.

 

Q: Before the Fix-it was released, one of Microsoft's advices was to install EMET. This is stated as "limited support only". What does this statement precisely mean?

A: Support for EMET is limited in the sense that support is provided via Microsoft's support forums and via email. Microsoft does not offer phone-based support for EMET. See Microsoft KB Article 2458544 (The Enhanced Mitigation Experience Toolkit) to get started.  

 

Q: This vulnerability has been talked about as being exploited via Java 6.0. But this is an Internet Explorer vulnerability. Have any exploits been written that don't need Java?

A: The known, actively used exploitation is utilizing Java. Theoretically, it’s possible to exploit without Java, but it’s a complicated process to successfully accomplish.

 

Q: From the chart in the presentation this afternoon, "By default, Internet Explorer on Windows Server 2003, Windows Server 2008 and Windows Servers 2008 R2 runs in a restricted mode known as Enhanced Security Configuration". A similar statement is made regarding Microsoft Outlook, Microsoft Outlook Express and Windows Mail. If this "by default" behavior has been changed - thereby making these configurations vulnerable to this exploit - can this change be detected?

A: Detecting a change in settings would be dependent on your environment. There is nothing built into the browser that will specifically alert you to a settings change, though you can go into options and return the application to default settings. We recommend that the update be deployed regardless of the presence of mitigations.

 

Q: We are installing this patch on systems and we are getting a "Patch already installed" error. Does this have something to do with patch MS12-052 already being installed?

A: We are not aware of any issues with the installation of this update – and though it is the cumulative update for Internet Explorer, it is a completely separate update package from MS12-052. Please double check that you have the right update package and also, verify if the systems reporting the update is already installed have automatic updates enabled. If this continues to be a problem, please contact our customer service line.

 

Q: Is it possible to install the security updates while Internet Explorer is running, or does it have to be restarted?

A: Windows Update technology allows the user to install updates while Internet Explorer is running. But the system must be restarted to enable the update.

 

Q: If anyone had to reset their browser settings any time after installing update 2744842, would that impact Internet Explorer in any way?

A: No, it will have no impact.

 

Q: I’m looking for information on how to deploy this thru WSUS.

A: Within the security bulletin, scroll down to the bottom, and look for the section titled: "Detection and Deployment Tools and Guidance" If your question is more about how to deploy updates in general via WSUS, then please visit the WSUS Tech Center.

 

Q: I checked the bulletin but could not find any reference to the file version. What is the file version of iexplore.exe that we should see after the install, both on Internet Explorer 8 on Windows 7?

A: The file version for Windows 7 should be 8.0.7600.17115. If you have applied a hotfix before the Windows 7 file version, it will be 8.0.7600.21313.

 

Q: Are there any concerns with the 64-bit version of the browser?

A: The Fix-it for Microsoft Security Advisory 2757760 was designed to protect customers from active attacks. Those attacks only targeted 32-bit versions of IE, so the fix-it only applied to this browser architecture. MS12-063 applies to both 32-bit and 64-bit browsers, and fully resolves the CVE-2012-4969 vulnerability on all platforms.

 

Q: Do you recommend installing EMET in addition to MS12-063?

A: EMET has helped blunt attempted attacks such as the one we’re talking about here. If users install the update provided in MS12-063, they are protected from all the vulnerabilities described in the bulletin. Still, as stated before it is a great idea to have applications opted into EMET and running all the time, as it has proved to be a great defense-in-depth technology that can prevent attacks on vulnerabilities when fixes are not available yet.

 

Q: Just to be clear, if we are pushing out the patches released today for KB2744842, do we still need to run the Fix it tool individually?

A: Today’s update patches the same vulnerability that is addressed in Microsoft Security Advisory 2757760. Customers who implemented the Microsoft Fix it solution do not need to undo the Microsoft Fix it solution before applying this update.

 

Q: What is the impact to the user's experience after the cumulative update is applied on intranet sites? Can they expect more pop-ups that they have to acknowledge than they see today?

A: There are no known issues related to today’s cumulative Internet Explorer update.

 

Q: If I have an application that uses Internet Explorer components and it automatically does a get to a web page, can this exploit be leveraged to run remote code execution? If so, do you have a list such integrate with Internet Explorer? Or is there an easy script to run to determine Internet Explorer component use?

A: If the web page is stored in a database after the get, this exploit can’t be leveraged. It is needed to have script enabled to run remote code execution. There are many applications using the Internet Explorer component – for instance, Microsoft Outlook. But Outlook is not vulnerable, because Outlook won’t allow the script to run, which mitigates the issue. The number of applications that integrate with Internet Explorer is massive, and we don't have the full list. You can use tools to pull the loaded DLL by your application and see whether MSHTML.dll MSHTMLed.dll is loaded or not.

 

Q: Is there any way to configure Internet Explorer to block Java (not JavaScript) until the user provides permission for that specific web site -- similar to your ActiveX Filtering function?

A: Yes, you can disable Java in Internet Explorer. Please refer to KB2751647, How to disable the Java web plug-in in Internet Explorer.

 

Q: Can MS012-063 be synchronized to SCCM 2007 software update right now?

A: Yes - MS12-063 is supported by all Microsoft manageability tools (System Center Configuration Manager, WU, MU, MBSA, WSUS, and ITMU) and should be available to, or via, those tools now.

 

Q: Besides the out-of-band issue, does today's Internet Explorer update include any fixes that were originally scheduled for October?

A: Yes. Today's Internet Explorer update includes fixes for the out-of-band issue, which is CVE-2012-4969, and four other critical RCE vulnerabilities -- CVE-2012-1529, CVE-2012-2546, CVE-2012-2548, and CVE-2012-2557.