Register now for the January 2009 Security Bulletin Webcast
Security Bulletin Webcast Q&A Index
Hosts: Christopher Budd, Security Response Communications Lead
Mike Reavey, Group Program Manager (MSRC)
Website: TechNet/security
Chat Topic: Microsoft out-of-band Security Bulletin (MS08-067) TechNet Webcast
Date: Wednesday, December 17, 2008 and Thursday, December 18, 2008
Note: The below questions were submitted from webcast attendees and are not necessarily in the order they were addressed during webcast.
Q:Microsoft Baseline Security Analyzer (MBSA) - Which do I use on Windows XP and Windows Vista boxes: MBSASetup-x64-EN.msi or x86?
A: To download the correct version of MBSA, be sure to download the platform version (either x86 or x64) that’s appropriate for your version of Windows. The x86 version is for 32-bit versions of Windows, while x64 is for 64-bit versions. MBSA will run on all Windows versions starting with Windows 2000 through Windows Server 2008 - including Windows Vista.
Q: Why did the work-arounds include changes to the Intranet Zone?
A: We recommend protections for attacks originating both on the internet (Internet Zone) and on your local corporate network (Intranet Zone). You should, of course, make a risk decision for your environment to determine if that is reasonable. I, for one, don’t trust all the hundreds of thousands of machines on the Microsoft corporate network.
Q: Is there only one patch for Internet Explorer (IE) 6.0 SP1 with Windows XP PRO Service Pack (SP) 2?
A: There is a patch for IE 6.0 running on Windows XP SP2. Please see the bulletin for the download links or search the Microsoft Download Center by the Knowledge Base (KB) bulletin number to get the download directly. You can also use Windows Update (WU) to get the update automatically.
Q: Are Servers running Outlook Web Access (OWA) vulnerable to code execution?
A: The server-side hosting OWA would not be vulnerable to code execution. A client connecting to OWA might be exposed to the vulnerability.
Q: Per the recommendation of updating with MS08-073 first before install MS08-078, can these be pushed together via SMS, or does it require push of MS08-073 first with a reboot before MS08-078 is pushed.
A: IE suggests that you install MS08-073 before installing MS08-78 but there is no requirement. In some cases, the MS08-078 update does not require a restart. If the required files are being used, this update will require a restart.
Q: If a client was infected before it was patched what will detect the intrusion?
A: The Microsoft Malware Protection Center MMPC group has been tracking the specific exploits and the malicious code they drop on its blog: http://blogs.technet.com/mmpc. This is a good place to review. It also reaffirms the need to maintain up-to-date antivirus protection on such systems. Depending on the exploit, removal will be different.
Q: We currently use Windows Server Update Services (WSUS) 2 - It looks like this update was downloaded for all Operating Systems (Oss) except Windows 2000. Can you confirm that a Windows 2000 version of this patch is available?
A: There is a patch available for both IE5.01sp4 and IE6sp1 on the Windows 2000 platform.
Q: Is there a better understanding or common direction of the presumed broadening scope of the malware drops being seen in the known exploit? Password stealers, keyloggers, trojans, botnets, etc?
A: A variety of malware specimens have been identified as part of these attacks. The MMPC has blogged on these attacks in more detail at http://blogs.technet.com/mmpc. The most common families seen with these attacks attempt to steal passwords of popular online games.
Q: Can an older Windows Server 2000 running Exchange 2005 behind a firewall, get infected by users on the network going to the websites or reading the emails?
A: If no users are browsing to untrusted content using client-side applications, the older windows server 2000 should be fine.
Q: Does DEP protect against the vulnerability without the patch?
A: DEP does not protect against the vulnerable code being reached. However, in order for an attacker to exploit the vulnerable for code execution, they will need to prepare memory in a certain way and DEP is a fairly good protection against the tricks hackers use to prepare memory in this way. DEP + ASLR is very good at protecting against exploits, even without the patch.
Q: How can you see which computers on a large network have completed the update without WSUS?
A: Microsoft provides a free standalone scan tool called Microsoft Baseline Security Analyzer (www.microsoft.com/mbsa) that’s mentioned in the MSRC bulletin. It is a valuable free tool to assess the security state of you client computers and does not require WSUS.
Q: Is there a MSI or EXE available for download vs. the update site automatically installing it, i.e. a DMZ install
A: Yes. Standalone versions of the update are available from links in the bulletin - which point to the Microsoft Download Center. There’s also the Microsoft Update Catalog site. Either site will work - simply search for the download by KB number or use links from the MSRC bulletin.
Q: If your clients don’t surf as administrator, does that mean the remote attacker cannot exploit this vulnerability to “own” the system?
A: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Q: Where can I find the registry info needed to undo the workaround of disabling island functionality - it was spelled out in the advisory prior to this patch release, but I can’t find it now? Thank you.
A: The bulletin will be revised to include the undo information for the registry modification workaround.
Q: You mentioned that this attack comes across as an email and link…is there a certain look or feel to the email we should be aware of…such as from? Or subject?
A: We started tracking that and the malicious websites that were hosting this exploit but the list has grown too large to manage. However, MMPC’s products are actually very good at detecting this so we should encourage people to use them.
Q: Will automatic updates for windows operating systems download and patch IE to protect against this attack?
A: If you use Microsoft Update or Windows Update, and run a supported Windows platform, your system will be offered and install the patch for Internet Explorer to protect against this attack. Automatic Updates is a part of Windows Update, so yes, your system will be protected.
Q: In the Key Notes column of the Exploitability Index section of the bulletin, it states “Internet Explorer runs in Protected Mode with default installations of Windows Vista and Windows Server 2008, presenting obstacles to the exploitation. Does MS08-078 (Security Update for Internet Explorer) provide the same level of protection for Windows XP and Windows Server 2000/2003 to prevent obstacles to the exploitation?
A:MS08-078 patches the vulnerability in mshtml.dll. Protected Mode provides additional layers of protection making exploit of the vulnerability more difficult.
Q: There are reports (www.internetnews.com) that even patched computers with MS08-078 are still vulnerable. Have we wasted time and effort applying this patch?
A: We have received no reports of users with this patch installed being compromised. There are no known issues with this update.
Q: Is there a way to remotely enable automatic updates on limited user’s pc’s through the domain controller or with policies or remote registry?
A: Yes - there are a number of ways to accomplish this. Feel free to use the search bar at www.microsoft.com and search for “enable automatic updates policy” which will provide a number of helpful TechNet resources to do this.
Q: Is this vulnerability specific to “gamers”?
A: It is not specific to any type of user. This issue affects all systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read e-mail on servers. However, best practices strongly discourage allowing this.
Q: Are current attacks limited and/or targeted, or are they becoming more general?
A: The attacks are still limited and with some exceptions are still geographically concentrated to a specific region. However, over the last few days prior to releasing the security update we did see an important increase in attacks, which caused us to release this update out of band. The MMPC, Microsoft’s Malware Protection Center has published updates on their blog reflecting the changes in attack patterns and malware they have seen associated with this vulnerability: http://blogs.technet.com/mmpc/archive/2008/12/13/the-new-ie-exploits-for-advisory-961051-now-hosted-on-pornography-sites.aspx . According to their statistics made over the weekend, they believe roughly 0.2% of all users may have been affected by exploits for this specific vulnerability.
Q: When will the update be on WSUS?
A: The update is on WSUS now.
Q: Does this exploit in any way allow a remote directory traversal of a computer?
A: This vulnerability allows an attacker to take complete control if a user browses to a malicious website or otherwise parses untrusted content using a client-side application. We have not discovered a server-side attack vector.
Q: Would it cause a user to have masses of multiple IE windows to open
A: This occurring would not be typical behavior for the exploits we are currently aware of.
Q: Could you give the KB article to enable DEP via logon scripts / group policy? Also is this configured via BOOT.INI for IE 7/XP and BOOTCFG for Vista/2008?
A: Data Execution Prevention configuration is controlled through switches in the boot.ini file. You can use a startup script using “bootcfg” to modify the boot.ini file. Here’s a KB which describes how you can use this tool to modify the file: < http://support.microsoft.com/kb/291980/EN-US/ >
Q: To better understand the data binding function, can you briefly give a practical explanation as to where this function may be invoked?
A: DHTML data binding is an IE technology that allows objects to be referenced from the IE document object model. The content just looks like regular XML. The best way to learn more is to search on MSDN for “DHTML data binding”.
Q: Does viewing an infected email in Office 2007 preview windows count as opening the email? At one time I had heard that Office 2007 preview of email was to help protect against infection.
A: To date, we have only seen active exploits that are dependent on scripting. The preview option disables script by default, thus preventing known exploits.
Q: There are reports (www.internetnews.com) that even patched computers with MS08-078 are still vulnerable. Have we wasted time and effort applying this patch?
A: We have received no reports of users with this patch installed being compromised. There are no known issues with this update.
Q: Is it possible that an attacker’s code could delete data via mapped drives from a user’s desktop? Seems likely…
A: When successfully exploited, an attacker would gain the same privileges as the user of the machine. As such, he would be able to access any data to which the user would have access, including mapped drivers. However, he would not be able to gain access to data of other users or the administrator on the same system.
Q: I have tried to download and install this through WSUS on Server 2003, but I cannot get it to download. Any ideas?
A: Please contact Customer Support Services if you are having trouble getting this update for WSUS Servers. The update has been available since its release and many customers have successfully downloaded and are deploying this update using WSUS. Since this is related to a security update, there should be no charge for the call.
Q: I see “Security update” for Internet Explorer 7 in Windows Vista (KB960714)” as an automatically approved update in my WSUS but I don’t see any for my XP or Windows 2000 machines.
A: If you are not seeing this update for all affected machines (any Windows machine with a supported version of Internet Explorer), please contact Customer Support Services if you are having trouble getting this update for WSUS Servers. You should be able to see this update for all supported Windows platforms. Since this is related to a security update, there should be no charge for the call.
Q: Prior to the release of the patch, some of the workarounds highlighted the fact that they (i.e. the workarounds) were likely to break ADO and/or XML data-island functionality. Is this true of the patch as well?
A: The security update does not break this functionality. In fact, we are not aware of any compatibility issues at this time. However, a workaround is developed as a more “broad” way to ensure that the issue can definitely not manifest itself, even if that means disabling other, useful functionality. As such, the workarounds had significant disadvantages which are not affiliated with the security update.
Q: If your clients don’t surf as administrator, does that mean the remote attacker cannot exploit this vulnerability to “own” the system?
A: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.**
Q: Where can I find the registry info needed to undo the workaround of disabling island functionality - it was spelled out in the advisory prior to this patch release, but I can’t find it now? Thank you.
A: The bulletin will be revised to include the undo information for the registry modification workaround.
Q: You mention that this attachment comes across as an email and link…is there a certain look or feel to the email we should be aware of…such as from? or subject?
A: We started tracking that and the malicious websites that were hosting this exploit but the list has grown too large to manage. However, MMPC’s products are actually very good at detecting this so we should encourage people to use them.
Q: Can 2003 servers hosting Citrix servers with clients rdp’ing into hosted apps become vulnerable by an infected client
A: If you allow your users logged in to Citrix/Terminal Services to read email or browse web pages your terminal server or Citrix server will be vulnerable to this attack.**
Q: Is Microsoft working with plugin vendors to ensure that enabling DEP for IE does not cause unintended crashes? I have been unable to use Sun JVM 1.6.0 Update 11, and the bug report is still open (bug_id=6545701).
A: Yes we are. We are working specifically with Sun and Adobe. Adobe now has DEP-compliant plugins and we are still working with Sun on the JVM.
Q: Does MS08-078 provide any enhancements to DEP to provide defense in depth protection against current exploits? The bulletin indicates some concept code is available to bypass DEP, and I hope this can be fixed.
A:MS08-078 fixes the vulnerability in Internet Explorer but does not directly implement improvements to our Defense in Depth security components in Windows. Individual Defense in Depth mechanisms, by their nature, may in specific situations be incomplete protection and could be bypassed. However, it is the full set of these Defense in Depth mechanisms, such as DEP, ASLR and SEH Overwrite Protection that used in combination provides a strong mechanism of defense against new vulnerabilities and exploits. Microsoft continuously evaluates these mechanisms for their effectiveness and when needed will introduce changes to make them more effective. No improvements of such type have been included with this specific security update.
Q: How critical is it to get this update deployed to workstations where users are all configured as Basic/Limited Users - (Non Admin or PowerUser)?
A: If a basic/limited user browses a malicious web site without having installed the security update, his user account may become compromised. The net result would be that the attacker would gain basic/limited user privileges on the system. Depending on your organization and configuration, you as the administrator are best placed to assess the specific risk this poses to your organization. However, we strongly recommend installing the security update if these Basic/Limited users are allowed to access untrusted content such as internet web sites.
Q: Do software developers need to be aware of any differences in the new mshtml.dll file (in MS08-078) for apps that are using web browser controls?
A: The changes made by this security update are really very limited and do not affect the APIs developers use to interact with the components, or any way that browser controls would be implemented. Microsoft is currently not aware of any issues regarding compatibility of this patch with existing software either, though we continuously monitor the situation and will call any issues out in the KB articles should they be identified.
Q: Are we looking for update KB960714 on all our machines? if so, I don’t see this update on any of my machines even though we have auto install turned on through SUS for critical and security updates.
A: Using SUS, please ensure this update has both been downloaded into WSUS and that it was auto-approved. You can also use the free tool MBSA (www.microsoft.com/mbsa) to confirm that the security update is either installed or needed on a large number of machines.
Q: How big is the patch? Size and number of files?
A: The patch file sizes range from 1.5MB up to 14MB depending on the platform.
Q: Is the vulnerability constantly active or only when IE is open? For example, if IE is closed, will the attacker still be able to do anything?
A: The vulnerability can only be exploited while the user is running Internet Explorer and uses it to connect to a malicious website. However, once exploited, the attacker can run any code of choice within the user context. This means that he could launch an application that would allow him to access the system through other means. This code could continue to run after Internet Explorer is closed. As such, the machine can only be compromised while it is browsing malicious content, but once compromised, the attacker can maintain access to the system depending on the code he introduces to the machine.
Q: So if the update is installed on my servers, but not the workstations accessing the data on the servers via mapped drives, is the data on my servers still protected? Seems as if this update needs to be installed on all workstations and servers in my environment…true?**
A: When successfully exploited, an attacker would gain the same privileges as the user of the machine. As such, he would be able to access any data to which the user would have access, including mapped drivers. However, he would not be able to gain access to data of other users or the administrator on the same system. We recommend customers apply this update to protect workstations and servers
Q: Are there any known malware/viruses that have been propagated by attackers exploiting this vulnerability. In other words, what might we look for to see if any of our systems have been attacked?
A: The Microsoft anti-malware team has been tracking the known malware targeting this vulnerability. They have a great write-up from a few days ago at http://blogs.technet.com/mmpc
Q: Is there residual from the vulnerability left on the client computer that needs to be cleaned? If so, where is it found and what program is best to remove it, if any?
A: Exploiting the vulnerability is a one-step process which would not leave residual. However, the attacker will likely install malicious code immediately after doing so. Microsoft recommends running up-to-date antivirus software to detect and clean any infected machines. The MMPC, Microsoft’s Malware Protection Center has a blog on some of the families of malware they have identified in relationship with the current attacks: http://blogs.technet.com/mmpc/archive/2008/12/13/the-new-ie-exploits-for-advisory-961051-now-hosted-on-pornography-sites.aspx
Q: Does the Microsoft Management Console (MMC) ever use mshtml.dll?
A: We haven’t identified any way that MMC is exposed to this vulnerability. Remember that to be exploited, you’ll need to have an application browse to untrusted content and parse it with MSHTML.dll. Even if MMC does use MSHTML (not sure if it does), it wouldn’t be vulnerable unless it is parsing malicious HTML.
Q: If client was infected before it was patched what will detect the intrusion?
A: Microsoft’s MMPC group has been tracking the specific exploits and the malicious code they drop on its blog: http://blogs.technet.com/mmpc. This is a good place to review. It also reaffirms the need to maintain up-to-date antivirus protection on such systems. Depending on the exploit, removal will be different.
Q: We currently use WSUS 2 - It looks like this update was downloaded for all OSs except Windows 2000. Can you confirm that a Windows 2000 version of this patch is available?
A: There is a patch available for both IE5.01sp4 and IE6sp1 on the Windows 2000 platform.
Q: Is there a better understanding or common direction of the presumed**
broadening scope of the malware drops being seen in the known exploit?**Password stealers, keyloggers, Trojans, botnets, etc?
A: A variety of malware specimens have been identified as part of these attacks. The MMPC has blogged on these attacks in more detail at http://blogs.technet.com/mmpc . The most common families seen with these attacks attempt to steal passwords of popular online games.
Q: Will an update be made available for Windows mobile devices that use Internet Explorer.**
is Pocket PC 5 or 6 included?
A: For information about receiving an update to your Windows Mobile device please contact your mobile service provider.
Q: Is this patch removable?
A: Yes, the update can be uninstalled. For exact procedures please review the “Security Update Deployment” section of the security bulletin at http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx which contains guidelines in the reference table on how to conduct the uninstall. Depending on the platform, it can be done either through the control panel or the specific uninstall binary, or both.
Q: Is there a redistributable version of this patch available for download?
A: Yes. Standalone versions of the update are available from links in the bulletin - which point to the Microsoft Download Center. There’s also the Microsoft Update Catalog site. Either site will work - simply search for the download by KB number or use links from the MSRC bulletin.
Q: Is there only one patch for IE 6.0 SP1 with XP PRO SP2?
A: There is a patch for IE 6.0 running on Windows XP SP2. Please see the bulletin for the download links or search the Microsoft Download Center by the KB bulletin number to get the download directly. You can also use Windows Update to get the update automatically.
Q: I updated IE7 patch this morning and found that some of the settings were gone. I couldn’t make connection to certain web site. Is that true the upgrade erasing the settings?
A: The IE patch makes only a one-line change to MSHTML.dll. It doesn’t make any changes to erase settings.
Q: Is IE8 Beta 2 affected and if it is, is there already a patch?
A: IE8 Beta 2 is affected and there are patches available on the download center and Windows Update.
Q: Will antivirus be triggered if the exploit is taking place? or this is transparent to the OS, and considers user action when this is happening? can the attacker escalate privileges? or same as user?
A: The exploit code would need to be downloaded and interpreted by Internet Explorer to be successful. Depending on the antivirus solution, and whether is kept up to date, it may protect against this specific attack. Code will however only execute within the context of the local user. Users whose accounts are configured to have fewer user rights on the system would be impacted less than users who operate with administrative user rights.
Q: Are manual registry changes supported as opposed to deploying this patch?
A: The workarounds available in the bulletin provide registry modifications. The fix provided by Microsoft is a file replacement correcting the issue in the base .dll file.
Q: How do we stop hidden iframes in the registry?
A: No way to block hidden iframes, unfortunately.
Q: Would it be possible to restrict mshtml.dll to administrator use only to prevent regular users from utilizing IE on a server? - Would that potentially affect other applications that use mshtml.dll?
A: Yes, you can use a Windows ACL such as listed in the bulletin workaround steps. Just change the ACL from denying all to allowing only Administrators. At least Internet Explorer and Outlook, OE, Windows Mail, etc will be affected.
Q: Is the detection logic of this update smart enough to know that it does not need to be installed on a Server (2008) Core installation?
A: The update will not show as applicable for Win2k8 Core installations
Q: Can this patch be deployed through GPO (ADS)
A: Yes this can be deployed via scripting: Data Execution Prevention configuration is controlled through switches in the boot.ini file. You can use a startup script using “bootcfg” to modify the boot.ini file. Here’s a KB which describes how you can use this tool to modify the file:
<http://support.microsoft.com/kb/291980/EN-US/>
Q: With respects to testing, should we focus in on Data Binding within the DOT Net framework or is data binding used in other programming languages?
A: The vulnerable data binding attack vector is actually in DHTML. Really just XML. Search for DHTML Data Binding for more information about data binding objects to focus your testing.
Q: If IE7 is running on Vista using Protected Mode, does the attack run using the user’s full rights, or just the sandboxed rights?
A: In protected mode the attack would use user’s full rights *within* a sandbox environment. We have seen no attacks that are able to break out of the sandbox.
Q: What kind of passwords would it be able to retrieve thru this exploit? can it retrieve the login credentials of the desktop/server it was logged in? Or isolated so as to not impact other users and systems?
A: As this is a remote code execution vulnerability, a malicious users could potentially take control of the system in the context of the current logged in user. Any passwords that are stored or used on a system could potentially be compromised.
A: (PT 2) The Network Access Protection / Network Access Control (NAP / NAC) technology could be used to isolate unpatched systems from your network. Microsoft has a product, Cisco has a product. Both should be able to look for the affected version of mshtml.dll.
Q: Is this patch available in an MSI
A: IE updates are not available in MSI formats.
Q: Does this threat apply to Windows Mobile and how do we get/apply updates for Windows Mobile v6.1?
A: Yes, Windows Mobile v6.1 is vulnerable. For information about receiving an update to your Windows Mobile device please contact your mobile service provider.
Q: We have seen a couple different widespread attack vendors, mostly using IFRAMEs pointing to Chinese (.cn) servers.
A: Use of so-called hidden IFRAMEs, which are remote frames loaded into the webpage but due to their parameters invisible to the actual browser user, are indeed a common way of loading malicious code from a remote server into the browser. We are aware of these reports. As final exploitation takes place through the known exploit, installing the security update successfully protects the system.
Q: How do we test the vulnerability once it is installed to a workstation and/or a server? How do we protect visiting devices or external users accessing our website or network to make sure they are patched?
A: Probably the best way to check whether a workstation is safe is to look at the version of MSHTML in the Windows system32 directory. The “safe” versions of the DLL are in a KB article linked to the security bulletin.
Q: I’ve heard there is code in the wild that uses a cookie; does this update patch the cookie vector?
A: This patch protects against all attempts to exploit this vulnerability, no matter the attack vector.
Q: Can a piece of JavaScript, i.e. on an exploited banner ad on a normally trusted website, invoke the vulnerability?
A: Yes, banners could potentially deliver malicious code to an un-suspecting website and exploit customers running the vulnerable version of Internet Explorer.
Q:(related topic) As a defense in depth measure Advisory 961051 and MS08-078 suggest “Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008” how can DEP be enabled through GPO/scripting/during initial deployment of the OS ?
A: Data Execution Prevention configuration is controlled through switches in the boot.ini file. You can use a startup script using “bootcfg” to modify the boot.ini file. Here’s a KB which describes how you can use this tool to modify the file:
<http://support.microsoft.com/kb/291980/EN-US/>
Q: Could you explain the restart behavior of the patch in more detail?
A: After the patch is installed, users will be notified that a restart is required to finish this update. Users who install through Automatic Updates will be restarted automatically.
Q: The suggested work-arounds involved making changes to OLEdb. Will this update have any impact on OLEdb and what risks are there to various applications such as Exchange, SQL and any other services or apps that use OLEdb?
A: The update will not have any impact on OLEDB. In fact, OLEDB32 was actually not touched by this update. Only MSHTML changed. The OLEDB32 workaround was to block the attack vector.
Q: You state in one of the slides that the vulnerability cannot be automatically invoked during browsing, could you go further into this? Could clicking a link on a webpage cause this vulnerability to be invoked?
A: If a user clicks a link on a webpage or even just browses to a malicious website, the vulnerability could be invoked.
Q: We’ve tested the uninstall feature via Add/Remove Programs, yet you’ve just told us in cannot be uninstalled. Does the uninstall not actually work?
A: You can uninstall this. I suspect it may be a misunderstanding with Vista and server 2008. You cannot script the install or removal on Vista or 2008, but our automatic tools work in both cases, and our UI tools do as well
Q: We are using SMSv3 and are mid swing in our deployment of the Tuesday releases. If a machine is pending a reboot from the patch Tuesday set will the client pick up the MS08-078 patch while in this dirty state prior to the reboot?
A: Even with a pending reboot from previous updates, an SMS managed client will easily and correctly identify the need for this update on any affected client.
Q: Can a user receive an html email in Outlook 2007 and become infected just by viewing the email?
A: Outlook 2007 actually does not use MSHTML.DLL to parse HTML email.
Q: Are there other common attack vectors that you are seeing in the wild?
Is it being advertised in spam? or have you seen it in widespread .html email?
A: We have not seen a working exploit using HTML email. In fact, we think it is unlikely to happen in the near term. All active exploits we have seen require scripting and scripting is not allowed in HTML email.
Q: Some websites are claiming they were compromised as part of this vulnerability. Are there known sites that are still hosting the code?
A: Websites that were compromised and were aware of this have been actively taking action to clean their site from containing the exploit code. However, due to the nature of these attacks the number of sites affected may increase or decrease at any point in time. The MMPC has reported on the amount of sites they have seen over the last few days in their blog, and may provide further updates, so we recommend following their blog if this is of interest to you. While blocking such sites at the perimeter adds some value, when SQL injection comes into play it is difficult to stay ahead of which sites are affected, which is always a very reactive process. As such we strongly recommend installing the security update to protect your systems.
Q: Could Citrix/Terminal servers be infected from the clients
A: If you allow your users logged in to Citrix/Terminal Services to read email or browse web pages your terminal server or Citrix server will be vulnerable to this attack.
Q: Are any other Data Binding controls or custom Programs possibly affected by this oledb32.dll security issue?
A: This vulnerability is in the way MSHTML parses malicious XML specifying data binding objects. We fixed the issue in MSHTML so all attack vectors are blocked.
Q: What is MS HTML and how do we know if it is in use on a workstation or server?
A: MSHTML is the core rendering engine for web pages in Internet Explorer.
Q: Are there applications other than Outlook and IE that use the vulnerable DLLs?
A: Applications that use the Web Browser control could be vulnerable to this attack. It depends on Exception handling conditions in the application.
Q: what about environments where web services sit in DMZ zones and interact with clients using IE?
A: We recommend installing the update on all systems that use Internet Explorer. However, if you require prioritization due to the vast amount of systems requiring the update, you may want to prioritize based on the exposure of those systems to untrusted content. Machines which connect to the “untrusted” internet would best be patched first, those connecting to more internet-facing systems such as DMZ web services second, and machines which only connect to highly trusted, internal machines last.
Q: Is there an enterprise solution to block via firewall, anti-virus protection, or some other means besides updating every single system with MS08-078?
A: We have shared detection guidance with our MAPP partners. Some of them do have comprehensive protection for this vulnerability. We recommend that you check directly with your security software provider.
Q: Is the patch for all languages or are there languages specific versions?
A: There are language-specific versions. These can be obtained either automatically from Microsoft Update, manually from the Microsoft Update catalog site, or from the Microsoft Download Center after selecting the language drop-down list.
Q: Another question, how can we tell if MSHTML is in use?
A: One easy way is to use the tlist tool that ships with the Windows debugger for free. tlist <pid> will show all the loaded modules for a given process.
Q: Does this patch make any modifications to the registry? We have an Oracle reporting function that relies on special registry settings for IE. I want to make sure these settings are protected from modifications.
A: The registry modification made by this update is detailed in the detection and deployment section of the bulletin
Q: McAfee AVERT labs reports an attack vector where a MS Word document uses an ActiveX control to access a malicious web site and exploit this vulnerability. Does this patch remedy this attack vector?
A: All HTML parsing from malicious web sites will be done by the system mshtml.dll. The security update fixes the core system mshtml.dll so the security update fixes all attack vectors.
Q: What are the live exploits for this security hole installing on machines?
A: Our colleagues over at MMPC have blogged about this some… http://blogs.technet.com/mmpc
Q: Is there a way to deploy the update to multiple machines without physically touching them when WSUS has not been deployed yet, and GPO has automatic updates turned off? (Client does not want other updates installed, only this one)
A: The specific packages can be manually downloaded and deployed with a script on Windows XP, Windows 200, and Windows Server 2003. Vista and 2008 do not support scripting.
Q: Can you give an example of use cases where a restart would be required - e.g. user is reading HTML email when the patch is applied, user is browsing a web page, etc.?
A: User would be required to reboot if Iexplore.exe is running on the machine at the time your machine applies the patch.
Q: You said to deploy MS08-073 first followed by MS08-078. If we are unable to do this on servers, will the application of MS08-078 be regressed by installing MS08-073 at a later date?
A: Customers will not be regressed when installing MS08-073 after MS08-078.
Q: If we deploy MS08-078 now and at a later date deploy Windows XP Service Pack 3, will we have to re-install this patch?
A: When upgrading from XPSP2 to XPSP3 there will be a delta in the binaries between the Sp offering and this update. However this update as well as other security updates will be on the system and will be applied. When installing a “clean” or new version of XPSP3 Automatic update will detect that this update needs to applied and will offer this update to the system after booting.
Q: What is the impact to Java based applications as a result of this patch?
A: Java based applications should not be impacted by the changes made for this update.
Q: Due to corporate critical business issues we did not deploy the December patches to our desktop or server environment as yet.Will one reboot handle the reboot needs of this patch when deployed with other December critical patches or do we need two reboots - one for the December patches and one for this new patch?
A: In some cases, yes, this patch may require a reboot. Any program that may keep the needed file open and/or may require a reboot. Although not a 100% guarantee, closing IE will certainly reduce the likelihood of a potential reboot.
Q: Since this is not a cumulative patch, has it been tested with versions of IE that don’t have security paths since April 2006 when the asp start function was changed.
A: We do not develop patches for or test on unsupported systems and encourage users to upgrade to supported versions.
Q: Can a restart be avoided for XP clients if users are told to close IE prior to update sent via WSUS?
A: In some cases, yes. Any program that may keep the needed file open, may require a reboot. Although not a 100% guarantee, closing IE will certainly reduce the likelihood of a potential reboot.
Q: Are there any ActiveX killbits that can be set to help mitigate this vulnerability?
A: Unfortunately, no. This is in core XML parsing.
Q: Can we get a directly downloadable package of this update for use instead of Windows update or deployment with WSUS.
A: All packages are also available on the download center at http://www.microsoft.com/downloads - search for KB960714
Q: Does the IE7 sandboxing in Vista mitigate this attack?
A: Yes, absolutely. Protected Mode in IE7 will greatly reduce the risk of this vulnerability. In fact, some of the exploits that we have seen check OS version and do not offer the exploit to Vista customers.
Q: Is Server 2008 Core not affected because IE (or ActiveX) is simply not installed?
A: Sever Core does not have IE or any other way of rendering HTML pages and is thus not affected.
Q: Just curious, I have actually patched one server 2003 server and it did require a reboot and another one that did not. Is there some way to determine which ones will and will not require a reboot?
A: There’s no exacting way to determine whether a reboot is needed or not in all cases - but mostly, if he file being updated is not in use, there will not be a required/needed reboot.
Q: Can you tell from help about in IE to see if you have the update installed?
A: The bulletin lists verification procedures in the detection & deployment section under “Verifying That the Update Has Been Applied” - This shows all the ways to verify the update was successfully applied.
Q: do you know of any web based applications that this update might break
A: This fix is actually very precise - it is just a one-line fix. We think the risk of breaking web application is actually quite remote but recommend testing in your environment.
Q: Some of our workstations run windows XP SP1. If this is an update for IE does it matter that I am running SP1, will it check the OS version?
A: Microsoft no longer supports Windows XP SP1, support for which expired on October 10th, 2006. As such we have not published a patch for these platforms. We recommend upgrading to a supported platform at your earliest convenience, so the patch can be applied.
Q: I would like to concentrate regression testing to those applications most likely to be impacted. How can I determine if my application uses the affected functions and could be affected by the patch?
A: Regression testing on applications should focus on applications that use Data Binding in Internet Explorer.
Q: Would like to understand all of the ways that this weakness can be exploited. Do you have to be using IE for it to happen or is having it installed enough?
A: Any application that uses mshtml.dll to parse untrusted XML could potentially be as an attack vector for this weakness. There is only one way we have seen this attack The attacks we have seen so far have been only one single
Q: Most IE updates are cumulative but MS08-078 is not. Did the urgency of this fix prevent this OOB from superseding MS08-073, or was it designed this way to aid in rapid testing and deployment?
A: The IE team felt that it was best to address just the vulnerability in the release. If the release had been cumulative, it would have only contained the same binaries released in MS08-073.
Q: Is IE8 (beta) vulnerable to this?
A: Unfortunately yes.
Q: How do you determine whether you have an infected server an infected webpage?
A: Microsoft recommends using commercially available antivirus and security products to identify and clean potential infections on servers. Microsoft’s MMPC group has been tracking these specific exploits and the malicious code they drop on its blog: http://blogs.technet.com/mmpc. This is a good place to review. It also reaffirms the need to maintain up-to-date antivirus protection on such systems.
Q: Have there been any reports of exploits taking place inside of an HTTPS/SSL tunnel where an IDS/IPS cannot generally inspect or block traffic?
A: The exploits we have seen so far have not used HTTPS to hide from IDS. We have certainly not seen every exploit so that is just what we have seen.
Q: can you elaborate on the dependencies between the IE Roll Up package from earlier this month and this out of band patch
A: The Cumulative Security update contains all of the security updates for the platform to date. MS07-078 only contains security updates for MSHTML.DLL.
Q: Have there been any compatibility issues with this update?
A: There are no known issues with the update at this time
Q: We are currently planning on just putting this on our Internet-facing servers only and doing the rest of the environment as time permits. Is that a reasonable plan for patching what we perceive to be the most vulnerable servers first?
A: If you don’t interact with untrusted content (websites etc) on your servers ever, they are actually at significantly less risk than client workstations. I would suggest if you were to prioritize that you start with the workstations where users are browsing, etc.
Q: What is the impact of application servers that have IE installed but without internet access, but logged in with a NPA account
A: This vulnerability requires that a user is logged on and reading e-mail messages or is visiting Web sites for any malicious action to occur. If servers are restricted from browsing or reading e-mail, their exposure and impact is minimal.
Q: Does MS08-078 apply to IE6 SP2? specifically 6.0.2900.2180 XPSP_SP2
A: Yes, the update applies to XP Service Pack 2.
Q: What non-regression testing do you suggest before deploying “in a hurry”?
A: IE suggests testing any data binding scenarios that you may have prior to deploying this update.
Q: Is this vulnerability wormable and have there been any reports that an affected workstation could affect a non malicious website?
A: Since the vulnerability requires user interaction (e.g. visiting a malicious website), it is not considered a wormable vulnerability.
Q: Is this vulnerability wormable and have there been any reports that an affected workstation could affect a non malicious website?
A: This vulnerability cannot be exploited without user interaction. For malware to spread using this vulnerability, a client-side application would have to parse malicious content (XML).
Q: Is this patch available for SMS 2003 download or just WSUS?
A: This security update is available for all versions of SMS and all Microsoft Detection and Deployment offerings including WSUS Server, Small Business Server, Security Center Essentials, and MBSA.
Q: If we install the patch on IE6 and then upgrade to IE7, will we need to re-install the patch?
A: Users who upgrade to IE7 from a fully patched IE6 system will be offered patches for IE7 required to make them fully patched.
Q: Would we only need to apply this patch to servers running IE, all servers, or is this strictly a desktop (or Citrix farm) issue?
A: Any systems where e-mail messages are read or where Internet Explorer is used, such as workstations or terminal servers, should be updated. Servers could be at more risk if administrators allow users to browse and read e-mail on servers. However, best practices strongly discourage allowing this.
Q: Does MS08-078 (KB960714) supersede MS08-073 (KB958215)?
A: No. MS08-078 does not supersede any previous bulletin. Please be sure to refer to the MSRC bulletin information for details on supersedence.
Q: Is it mandatory MS08-073 be deployed before MS08-078? Will we run into problems if we deploy MS08-073 after MS08-078?
A: Answer to #1 and #2:
The development and testing of this fix occurred on systems that have been patched with the latest IE update. IE recommends that the latest cumulative update be applied prior to MS08-078
Q: The advance notification email included a paragraph about US customers contacting the FBI if they feel they have been affected by this problem. Is this normal for you to include this verbiage in all critical releases or is there something different about this threat? The advance notification email included a paragraph about US customers contacting the FBI if they feel they have been affected by this problem.
A: This is standard verbiage and the recommendation for all customers who feel they have been compromised by a particular issue.
Q: We are in a yearend change freeze. What is the risk of implementing MS-078 without implementing MS-073?
A: IE encourages all users to install MS08-073 before installing MS08-078. MS08-073 will install after installing MS08-078 but MSHTML.DLL will not be replaced in with the version from MS08-73.
Q: Are there any exploits for IE 6 known at this time? The only ones we have been able to find are targeting IE 7
A: We don’t have visibility into all attacks. However, of the malicious attacks that we have observed, only Windows XP and Windows Server 2003 running IE7 have been vulnerable. There is certainly exploit code available that targets other platforms but we have not seen active attacks use that publicly-available exploit code.
Q: Hi, I would like know if we deploy the patch and then install a minor update to IE would we need to reapply the patch?
A: No. Due to Microsoft installer technologies, the latest files will always be installed if needed - and older files will not overwrite newer updates or files.
Q: Does this vulnerability affect IIS? Specifically, is there any danger of an infection on a workstation making the jump to a server?
A: We have not discovered any server-side attack vector for this vulnerability. We have only identified client-side exposure. So to be infected, you would need to parse malicious XML using a client-side application.