August 2012

September 2012 Security Bulletin Webcast Q&A

Hosts:                  Andrew Gross, Sr. Security Program Manager
                              Dustin
Childs, Group Manager, Response Communications
Website:              TechNet/security
Chat Topic:           September 2012 Security Bulletin Release
Date:                     September 12, 2012

Q: MSRT 4.12 & version 110.0 of KB890830 doesn't list Windows 8 or Windows Server 2012; are there different versions of MSRT for these new operating systems? There were MSRT versions 4.11 and 4.10 for the preview releases of Windows 8.
A: We are nearing launch for Windows 8, and so we plan to release MSRT for Windows 8 in October 2012.

Q: There has been discussion recently of malware installing itself into BOOT PROM, Ethernet card PXE prom and other hard-to-reach locations. Does the Microsoft Malicious Software Removal Tool check any of these hard-to-reach locations? Any general guidance for us on this topic?
A: We recommend running a full system scan with Windows Defender Offline for the most complete scan of stealth enabled malware; the MSRT is only able to address malware that is listed in KB890830.   

Q: KB2661254 states certutil cannot be used to set registry entries in Windows XP, is this still true if using the procedure from KB934576? Also is KB934576 outdated, and should certutil be used from the WS2003 SP2 Admin Kit, or are there newer versions available?
A: No, certutil cannot be used even with KB934576. The certutil guidance can only be used for Vista or Windows 7. The version shipping with Vista and Windows 7 is newer and has the required features to make the configuration changes.  

Q: Does the Configuration Manager fix apply to console only installations?
A: The Config Manager update does not apply to console-only installations. 

Q: In testing KB2661254, is there any service or process that needs restarted after changing the logging/enforcement level to confirm change in behavior with feature enabled / disabled?
A: Yes -- the CertSvc service may need to be restarted for the changes to take effect. 

Q: Why is MS12-062 only available at the download center and not through the update catalog to allow Configuration Manager customers to scan their environment for applicability? The article is really confusing as to what versions are affected by this vulnerability.
A: SMS 2003 and Configuration Manager 2007 have not traditionally been serviced through MU/WU. Historically, we have used it to update only the administrator console. We wanted to deliver the updates through the channels from which our customers are used to getting SMS and Configuration Manager updates. We will update the bulletin to clarify which versions are affected. 

For Configuration Manager 2007, the affected version is Service Pack 2. (For the record, in SMS 2003 the affected version is Service Pack 3; this answer applies strictly to Configuration Manager.) The confusion arises from the fact that the R2 and R3 release are not full releases, but feature add-ons to the SMS and Configuration Manager products. The MS12-062 security update is applicable to the core product, not to the feature add-ons. 

Q: Does the certificate update impact WSUS server or client? 
A: Customers should download the update and assess its impact on their environments. The update will affect WSUS only if the private PKI environment is configured with a 512-bit key. This is not a default scenario, but could be configured. Please see the security advisory or KB article on how to enable logging to identify these certificates in the environment. Additionally, the SRD blog has good information about how to configure the update to enable logging.

Q: With MS12-062, will there be any change required for the Configuration Manager clients?
A: No change is required for clients.

Q: On Windows Malicious Software Removal Tool - September 2012 (KB890830) – Internet Explorer Version; what is this version, how is it used?
A: KB890830 is the monthly update to MSRT, our Malicious Software Removal Tool. For complete information on MSRT, including the complete list of families it cleans and a link to the download site, please see the MSRT page at the Microsoft Safety and Security Center.

Q: It was mentioned that there is no impact for consumers or client systems. Yet I did have some client computers install updates and prompt for a reboot. Why did that happen?
A:
While there are no security updates for consumer/client computers this month, there may be non-security updates offered to some clients systems. One or more of these may have reboot implications for consumer/client systems. 

Q: I suggest that you mention that the Microsoft update site can update the WSUS client, such that the client can no longer communicate with the customer's WSUS Server.
A: The reference was meant towards our response to the certificates issue that is described Security Advisory 2718704, which required an update to both the WSUS infrastructure and the WU client. The server side update is discussed in KB2720211 and the client side update is addressed in KB949104. IT is possible to update a client system before the server is updated, which could temporarily cause a service disruption that would be immediately resolved once the server side update is applied. This issue was also discussed on the MSRC, SRD, WSUS, and MU blogs.

Q: System Center Configuration Manager 2007 R2 and R3 installations require SP2 to be installed - were you stating then that SP2 with NO R2 or R3 addons is the vulnerable version, or all installations WITH SP2 R2 or R3? Also, Since we are unable to scan to determine applicability, is it applicable to all System Center Configuration Manager clients?
A: Configuration Manager SP2 with or without R2/R3 is vulnerable.  SMS 2003 with or without R2 is vulnerable.  Please note that R2 can be installed on SP1.  If you have SP1 you should update to SP2 and make sure you are appropriately updated.  These security updates are server side updates.  They should be installed on all site servers.  They do not apply to administrator consoles or clients.  We will revise the Bulletin to remove R2/R3 applicability to minimize confusion.

Q: Does this update replace the Cumulative Security Update of ActiveX Kill Bits (2618451)? 
A:
No. For the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (2618451) that is described in Microsoft Security Bulletin MS11-090. Automatic updating will still offer the MS11-090 update to customers regardless of whether or not they installed that update (2736233). However, customers who install this update (2695962) do not need to install the MS11-090 update to be protected with all the kill bits set in MS11-090.