Hosts: Mike Reavey, Group Security Program Manager
Adrian Stone, Microsoft Security Response Center (MSRC)
Website: TechNet/security
Topic: Information about Microsoft Security Bulletins
Date: Wednesday, July 9, 2008
Q: Why was CVE-2008-0951(Windows Vista not properly enforce the NoDriveTypeAutoRun registry value) not listed as a fixed vulnerability in the bulletin for MS08-038? The notice was embedded within the Bulletin FAQ and has been overlooked by many people.
A: The vuln addressed by the bulletin only covered the save search issue. It just so happened the binary affected also controls the Autorun registry key mentioned in the FAQ. That CVE number was assigned by CERT and not the MSRC. For Autorun, no functional changes were made. The registry key now works as advertised. Previous to MS08-038, it did not.
The decision was made not to separate it out as a separate vuln because it was simply a registry key that did not work. On its own, this issue was not important enough to be a bulletin-class issue. However, we thought it was better to at least list CERT’s CVE number than not call it out at all.
Q: Can you provide some insight into the potential attack vectors associated with the DNS cache poisoning? Specifically to what degree is it different than the previous cache poisoning?
A: The vulnerability addressed in this DNS update is similar to the last DNS TXiD bulletin update (MS08-020). The attack scenarios are similar as well. This allows an attacker to populate the DNS cache with false information due the predictability sockets that DNS uses to communicate.
For more analysis, please see: http://blogs.technet.com/swi/archive/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id.aspx.
Q: What exact type of access would an authenticated attacker need to a vulnerable SQL server in order to perform this attack?
A: Having permission to login to the SQL Server through SQL permissions or a Windows account granted permissions would be sufficient. At that point they would be able to issue commands to reach the vulnerable code.
Q: MS08-040 - Can that be uninstalled or once it is installed is that instance of SQL automatically updated and can’t be reversed
A: As stated in the bulletin under deployment guidance, most can be uninstalled by using Add/Remove programs. For SQL 7.0 / MSDE 1.0 please refer to the readme file included in the patch.
Q: Two security advisories were recently released concerning Snapshot viewer & Access as well as Word 2002 SP3 vulnerabilities. Does MS plan and would it even be possible to release a patch before the end of the week to address these as part of an out of band release?
A: Microsoft is always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.
For an inside look into the details involved in issuing a security update please visit http://blogs.technet.com/msrc/archive/2007/04/03/an-inside-look-into-building-and-releasing-ms07-017.aspx
Q: With MS08-039, if it is installed on Exchange 2007 then later Exchange 2007 SP1 is installed will we have to reinstall MS08-039?
A: Yes. The vulnerabilities addressed in MS08-039 that apply to both versions of Exchange 2007 and will need to be applied on each version regardless if you have installed this update prior to upgrading to Exchange 2007 Service Pack 1.
Q: In MS08-039, if the OWA client is affected, why is the patch released for the server only?
A: Because OWA client is not installed on clients, but hosted on the server and accessed through a web browser on the client
Q: With the SQL Server Bulletin, if SQL injection vulnerability also existed in an application, could an attacker escalate privileges the same way described?
A: Yes. If there are any SQL Injection vulnerabilities in applications then an attacker could potentially exploit those to gain access and escalate privileges on the backend server, (An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.)
Q: What is the difference between the GDR and QFE updates for SQL?
A: GDR stands for ‘General Distribution Release’. These patches have fixes to issues that affect a large number of people and/or security fixes. QFE stands for ‘Quick Fix Engineering’ and have hotfixes.
Q: Is MS08-037 a specific problem with Windows DNS, or is this a problem related to the way DNS is implemented across most all vendors. It could also be considered a DNS Cache Poisoning exploit?
A: No, the issue addressed is not a Windows DNS specific vuln. This is a design flaw in the RFC for DNS and other DNS vendors were also vulnerable and we have made updates available for their DNS solutions.
Q: I have had a problem with SharePoint Server 2007 and SQL Server 2000 updates. Will KB948110 affect any of my settings in SharePoint and cause it not to function properly?
A: The SQL Server 2000 update KB948110 should not affect SharePoint Server 2007 functionality.
Q: Can you discuss the Zone Alarm issue?
A: Microsoft is aware of reports of possible issues related to MS08-037 (DNS) and Zone Alarm. We are investigating these reports and will provide information on this once our investigation is complete.
Q: What is the URL for Microsoft update blog
A: http://blogs.technet.com/mu
Q: MS08-037 - I update approx 50 windows servers, 1 server has Intel Pro set teamed NICs, that server does not work on the network.windows boots fully, gives no specific errors, no network.
A: We are not seeing this issue reported on the server update for DNS server. For issues with security updates please contact CSS for free support 1-866-PCSAFETY.
Q: We uninstalled the update; server still does not “see the network”. Question: Is this a known issue with this update, or am I having another problem?
A: We are not seeing this issue reported on the server update for DNS server. For issues with security updates please contact PSS for free support 1-866-PCSAFETY.
Q: With XP SP3 being released through Automatic Updates on July 10th how long do we have until the security patches are based on SP3 and not released for SP2 anymore
A: Service Pack 2 will be supported for 24 months after the release of SP3, so until July 2010. See the lifecycle for SP2 http://support.microsoft.com/lifecycle/?p1=6794
Q: Has there been any known issues after security update MS08-040 SQL?
A: No known issues for MS08-040 at this time.
Q: Can you clarify what MS08-038 applies to? According to Altiris it’s not applicable to standard English builds.
A: This update is applicable for all versions of Windows Vista and Server 2008 systems.
Q: What is OWA premium?
A: OWA Premium implements the full complement of features including features like Spelling Checker, Reading Pane, Notifications and Reminders, Weekly Calendar Views, Right-Click Menu, Drag-and-Drop and Voice Mail Options to name a few while OWA Light (Basic) implements a small subset of these features. To see more details on this comparison refer to http://technet.microsoft.com/en-us/library/aa997437 (EXCHG.80).aspx
Q: Does the MS08-039 update need to be installed on Frontend OWA servers only or on both Front & Backend Exchange servers?
A: MS08-039 should be applied to all affected versions of Exchange as documented in the bulletin (http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx) to protect all servers and to ensure Exchange server interoperability within your Exchange environment.
Q: Not sure if you mentioned it, but is there a timeline for patch for KB953635, (Vulnerability in Microsoft Word Could Allow Remote Code Execution?
A: Microsoft is investigating new public claims of a possible vulnerability in Microsoft Word. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We will take steps to determine how customers can protect themselves should we confirm the vulnerability.
Q: I am at version 9.00.3239 for SQL 2005. Do I have to install the patch?
A: You do not since your version number is higher than 9.00.3233.
Q: Regarding QFE, does that include a service pack which is installed after the OS? Like going from Gold to SP1? Or from SP1 to SP2? or would these be still considered GDR?
A: Service packs are not GDR’s or QFE’s, but they can possibly have a GDR or QFE associated with it. Service Packs are treated similarly as a ‘main’ release. So, to use your example, Gold can have a GDR and/or a QFE patch. SP1 can also have a GDR and/or QFE patch. Please keep in mind that the specifics can differ for different products (i.e. Office vs. SQL).
Q: What is the best way to apply kb953747 on exchange cluster
A: The procedure for clusters typically involves moving all the resources, taking the other node offline and applying the update then bringing it online. For instance let’s say you have 2 nodes, bring node 1 offline and apply the update, move the resources to node 1 once the update has been applied and take node 2 offline and apply the update then bring node 2 back online.
Q: On the malware install, can the EULA be suppressed?
A: When deploying the Malicious Software Removal Tool in an enterprise environment, please review KB articles 891716 and 890830 which list command line switches for silent install and other enterprise deployment considerations. Also, for deployment via WSUS the EULA is typically accepted on the WSUS management console rather than on every client individually.
Q: WSUS 3.0 provides a pretty good list of superseded patches for a given patch, but I’m having trouble finding this on Microsoft’s website. Can you provide me a good link to show a list of patches that are superseded by a patch or will show if a given patch
A: The TechNet Security Bulletin Search web site located at http://www.microsoft.com/technet/security/current.aspx will allow you to find supersedence for any MSRC security bulletin.
Q: MS08-039, does OWA run by default in Premium mode?
A: This depends on the browser the client is using to access the Outlook Web Access Site. To use OWA Premium, the browser must include support for ActiveX and the restricted IFRAME features. Therefore, if you use a browser without these features, you will only be able to use OWA Light. The OWA login screen displays the mode to be used. For more information on this please see the Security Vulnerability Research and Defense blog at <http://blogs.technet.com/swi/> specifically <http://blogs.technet.com/swi/archive/2008/07/08/MS08-039-which-users-are-vulnerable-to-OWA-XSS-vulnerability.aspx.>
Q: How can I tell if I’m running OWA “Premium”?
A: There are radio buttons at the login screen that let you choose the version you want.