Microsoft Security Bulletin Release Customer Webcast February 2008

Hosts:    Bill Sisk, Microsoft Security Response Communications

             Adrian Stone, Microsoft Security Response Center (MSRC)

Chat Topic: Security Bulletin
Date: Wednesday, February 13, 2008

Please note:* *Portions of this transcript have been edited for clarity

 

**Start of Chat:

Q:** Are you aware that exploits for MS08-007, MS08-010 and MS08-011 have been released to the public?
A: This highlights the importance of being aware of the bulletins released, and testing and deploying them in your environment.

Q: Are you aware that exploits for MS08-007, MS08-010 and MS08-011 have been released to the public?
A: Microsoft is not aware of any Active Exploits

Q: Windows Server 2008 and Vista Service Pack 1 are now Released to Manufacturing, do any of these bulletins apply to them?
A: All Bulletins released this month are not affected for Windows Server 2008 and Windows Vista Service Pack 1. Any Bulletins that currently do not have both under the unaffected products table will be revised to include them there.

Q: Does the new Internet Explorer Cumulative Update MS08-010 fix the Internet Explorer crash issues seen from the MS07-069 release? Will it overwrite the changes fixed by KB946627?
A: The Internet Explorer Cumulative Update MS08-010 does include the same registry key fix that is included in KB946627.  There will be no action on a customer's part to ensure that the fix continues working.

Q: Why is bulletin MS08-003 rated as IMPORTANT and not Critical though the impact is Remote Code Execution?
A: The impact is DOS, not RCE, which is why this is rated important

Q: Does this new Internet Explorer Cumulative Update fix the URLMON.DLL bug in the Quick Fix Engineering fork that caused Internet Explorer to crash after the last Internet Explorer update?
A: The registry key in KB946627 which relates to the URLMON.DLL bug is applied in MS08-010.  We expect a binary fix for this issue to be release in the next Internet Explorer security update

Q: I'm wondering what to do if a security update that can't be uninstalled breaks something?
A: In this case, the guidance (which is in the bulletin) is to remove and reinstall the application concerned.

Q: Could MS08-013 affect Visual Basic 2005 at all?
A: No, Visual Basic 2005 is not vulnerable to MS08-013. Please refer to the bulletin for affected platforms.

Q: MS008-08 How does it affect the .NET runtime and the Visual Studio Developer Environment?
A: MS08-008 does not affect the .NET runtime or the Visual Studio Developer Environment. Only the Visual Basic 6 Integrated Developer Environment is affected from a developer standpoint.

Q: Does this cover the Excel security bug reported Jan 16th?
A: The issue reported in https://www.microsoft.com/technet/security/advisory/947563.mspx is still under investigation, and none of the February bulletins address this.

Q: Are there any further DST updates that we should be looking to apply now (especially for international locations)?
A: Unfortunately we do not have any subject matter experts available to answer issues relating to non-security updates

Q: For Visual Basic 6 service pack 6 what is the exact scope of the Integrated Develop Environment which is affected by this vulnerability? ie how are you defining the Integrated Develop Environment? viz-a-viz binaries affected v. runtime, re: Microsoft Security Bulletin MS08-008 - Critical
A: MS08-008 refers to a vulnerability affecting the binary oleaut32.dll that can result in remote code execution in the local user context. This binary (oleaut32.dll) is a library used by Visual Basic 6 Integrated Develop Environment for supporting any Object Linking and Embedding automation controls built by the user. This binary is redistributable and if you use the Visual Basic 6 Package and Deployment Wizard to package any ActiveX controls you build, the wizard will automatically include this binary (oleaut32.dll) in the package.  Since this binary (oleaut32.dll) is a COM component, if you have Visual Basic 6 installed on your machine you need to install the Visual Basic 6 update even if you do not plan to use the package and deployment wizard because COM components are registered machine wide and failing to install the update will leave your machine vulnerable.

Q: Why [are] two different security bulletins released for Internet Information Services? How do they differ from each other?
A: The two bulletins address different components on different platforms on different versions of IIS and customers are likely to deploy one and not the other depending on their platform. In the interest of increasing deployment reliability for the common case, it was decided to publish the updates separately.

Q: MS08-012 - Can you be vulnerable if you have the .DLL files but not the publisher application .exe? ex: we have Prtf9.dll and Ptxt9.dll installed. The Mspub.exe is not present. Are we vulnerable?
A: The vulnerable code that addressed the vulnerability documented in bulletin MS08-012 is in MSPUB.EXE and not in PRTF9.DLL and PTXT9.DLL. Users may have these DLLs installed on their systems via the Office Suite installations; however these DLLs are not the cause of the vulnerability. As MSPUB.EXE is updated, these DLLs are supporting files that need to be updated because of code dependencies between MSPUB.EXE and PRTF9.DLL and PTXT9.DLL.

Q: Does this update sometimes cause Internet Explorer to go to RunOnce to run install?
A: MS08-010 does not make any changes to the RunOnce functionality in Internet Explorer. 

Q: Is there any tools available to detect if the Visual Basic 6 patch from MS08-008 is needed?
A: As per the Microsoft Baseline Security Analyzer  home page: https://www.microsoft.com/technet/security/tools/mbsahome.mspxLegacy Product Support: For customers using legacy products not supported by Microsoft Baseline Security Analyzer  2.0.1, Microsoft Update, and Windows Server Update Services, Shavlik Technologies provides a free Microsoft Baseline Security Analyzer  2.0.1 companion tool called Shavlik NetChk Limited. Also as per the bulletin, the SMS SUIT can also detect ant deploy the VS 6.0 Service Pack 6 version of MS08-008

Q: Is MS08-011, which is the vulnerability in Microsoft Works File converter. Is Converter installed by default as a part of Microsoft Office Suite? What if Converter is not installed, is it still necessary to install the bulletin?
A: The vulnerable DLL is installed with the Microsoft Office Suite. We reference the specific versions that ship the vulnerable version of the DLL in the Affected Software section in bulletin MS08-011.

Q: I have a client who received a nasty virus through Instant Messaging.  Is that vulnerability covered in these security releases?
A: Many of the current Instant Messaging viruses rely on social engineering to trick a user into clicking on a link or opening a file, and do not leverage software vulnerabilities.  As well as encouraging users to keep their software up to date, run antivirus with up-to-date signatures, and use a firewall, we also encourage users to always practice "safe computing" and be very careful clicking on links or opening files, especially through email or Instant Messaging, even when they appear to have come from a known acquaintance.

Q: I assume that MS08-010 includes the KB946627 fix that was released for MS07-069. Is that a correct assumption?
A: The Internet Explorer Cumulative Update MS08-010 does include the same registry key fix that is included in KB946627.

Q: Are MS08-005 & MS08-006 only for workstations and servers which have Internet Information Services? Or, should they be applied on all workstations and servers?
A: MS08-005 & MS08-006 should only be applied on workstations and servers that have Internet Information Services enabled. In fact they will only be offered to customers with Internet Information Services enabled by our detection/deployment tools

Q: In MS08-13, if the Macro Security Level is set too high, will this block any malicious code from running?
A: We cannot confirm that setting the Macro Security Level to high will fully mitigate all attack vectors for the vulnerabilities documented in MS08-013. The only known workarounds are documented in the bulletin MS08-013.

Q:  In article: <https://support.microsoft.com/kb/943983> It states the following: Prerequisites You must have Microsoft Office 2003 Service Pack 3 (SP3) installed This appears to be a typo on are part - the are seperate update packages for Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, and the Microsoft Office Word Viewer 2003
A: Thanks for pointing this out. You are correct that this appears to be incorrect, we will update the KB to reflect this. Thank you.

Q: Malicious software removal tool installs but does not run without user interaction, true?
A: False.  The version of the tool delivered by Microsoft Update and Windows Update runs in the background and then reports if an infection is found. If you would like to run this tool more than once a month, use the version on this Web page or install the version that is available in the Download Center.

Q: Internet Information Services being such a vulnerable service, why is it rated as IMPORTANT and not Critical?
A: MS08-005: To exploit the issue being addressed by MS08-005 a local logged-on user needs to create a file with a malicious name on the local machine. There is no remote or unauthenticated vector that conforms to security best practices that can trigger this issue. MS08-006: There are several mitigating factors at play for this issue that dampen the severity. You can check the Mitigating Factors’ section of the bulletin for further information. Further, an exploiter will only get to execute code under the privileges of the Worker Process Identity which is a low privilege account (Network Service) that by default and has no administrative authority.

Q: There were originally 12 bulletins announced, but only 11 were released. Is Microsoft expecting to release an out-of cycle patch? Is it an Excel vulnerability?
A: Please refer to the Microsoft Security Response Center blog at https://blogs.technet.com/msrc which has a little background on this issue.  We don't discuss upcoming release plans, except in the Advance Notification Service.

Q: Just to verify - MS08-007 - A user would need to access a specially crafted web page to be affected - correct?  Is this documented anywhere?
A: You are correct.  A client would need to be convinced to initiate the conversation, and the web page would reply with a malicious response.  This is in the bulletin vulnerability FAQ section as follow: "How could an attacker exploit the vulnerability?" "An attacker could try to exploit the vulnerability by creating specially crafted WebDAV responses."

Q: We use GroupWise.  Do I still have to install Outlook patches?
A: The only Outlook updates that have been released this month are not Security Bulletins; they are Junk Mail filters.  If you are not using Outlook you will not need the Junk Mail filters.  This said, there are a number of Office components that do have mail client related attack vectors, and if you are running the affected software (see MS08-009, MS08-011, MS08-012, and MS08-013) then you should install the update

Q: When is Windows Server 2003 Service Pack 1 scheduled for end of support?
A: Please see https://www.microsoft.com/lifecycle for the complete overview of the support lifecycle on all MS products and service packs. End of Support is 14 April 2009, by the way.

Q: Will patches I approve in Windows Server Update Services alert me of missing prerequisites?
A: WSUS will report if an update is needed on a machine and deploy that patch appropriately,  if a pre-requisite is needed to install a update, this would indicate that the vulnerable component is not present on your system and therefore would not get offered the update.