Hosts: Adrian Stone, Senior Security Program Manager Lead
Steve Adegbite, Senior Security Program Manager Lead
Website: TechNet/security
Chat Topic: March 2009 Security Bulletin
Date: Wednesday, March 11, 2009
Q: The Bulletin Summary received yesterday indicated all MS09-008 vulnerabilities were set to Exploitability Level 2. When did this change and why?
A:MS09-008 should still have an Exploitability Index (XI) rating of 2 for all listed CVEs.
Q: What is the most likely time that updates are posted on patch Tuesday so I can set my check time just after the post time?
A: Security patches are typically released at 10:00 AM Pacific Time.
Q: Is there any update on the Excel Zero Day Exploit?
A: Microsoft does not provide release dates for security updates. We’re still conducting our investigation into these attacks and would like to refer you to the Advisory for information on how to mitigate the impact of this issue.
Q: In regards to MS09-008, if Web Proxy Auto-Discovery (WPAD) is in use, it states attacks can’t happen, then why are updates KB961063 and KB961064 available?
A: If the Windows Internet Name Service (WINS) server has WPAD registered, this will mitigate the attack. However, the update removes this vulnerability by modifying the way that WINS servers respond to WPAD and ISATAP name resolution requests.
Q: Are any of these vulnerabilities Wormable?
A: No. Two are spoofing-only; the one Remote Code Execution issue requires user action, and cannot be automated in a wormable fashion.
Q: There is not much information about these “in public”. Are these vulnerabilities actively exploited? MS09-008 describes two publicly disclosed vulnerabilities CVE-2009-0093 and CVE-2009-0094. Are these vulnerabilities somehow connected to KB 945713 (CVE-2007-5355).
A: The bulletin addresses server-side WPAD registration and the advisory is regarding client-side devolution. They both address WPAD issues, however they are separate. The CVE referenced by the advisory is not addressed by MS09-008.
Q: Since MS09-008 may require two patches if you have WINS and DNS on the same server will MBSA 2.1 reports list both KB961063 and KB961064 as needed/installed?
A: Yes, MBSA 2.1 and WSUS reports will list bothKB961063 and KB961064 as needed and installed.
Q: Are MSRT updates cumulative? In other words does March’s MSRT contain Feb, Jan… updates?
A: Yes.
Q: Is Windows XP coming to End-O- Life anytime soon for security updates? Similar to how Windows 2000 was End-Of-Life?
A: Please refer to www.microsoft.com/lifecycle for this and other product info
Q: When a patch replaces another patch does it remove the uninstall created by the prior patch to free up disk space? If not, is there a utility that will list and offer to clean up uninstalls of old obsolete patches?
A: The update installation itself will not remove update uninstall data for updates that are superseded. And there really are no tools that are designed to remove this content. There really is no such thing as an obsolete patch, and the assumption is that you may always want to back out of multiple packages. The disk cleanup wizard will give you this option in relation to service pack installs.
Q: Is MS09-008 required for SQL Server 2005 Service Pack 2, File Server, and Project Server 2007?
A: No - this update is only applicable to DNS and WINS servers
Q: For MS 09-008, if we automatically restart the Windows service every night, is that flushing the cache?
A: Yes. Restarting the DNS server service will flush the cache.
Q: For MS09-008, it is stated in your slides that it replaces MS08-037. Is MS09-008 for the DNS server only or is it also for the DNS Clients?
A:MS08-037 had a server and client portion, whereas MS09-008 is server only. MS09-008 only replaces MS08-037 DNS server (KB951746) is replaced. Not the MS08-037 client.
Q: Relating to MBSA, how come MBSA reports a server has been updated; however, other scan tools, such as “Nessus”, report that it has not?**
A:MBSA checks for update compliance by looking at artifacts, such as registry keys and file versions to verify that an update has been installed. Many other scanners such as “Nessus” will verify that an update is installed by poking at the vulnerability. The criteria are not always exact, and odd behavior is not something that Microsoft can speak to. If MBSA says that you are updated, you can double-check using the criteria listed in the bulletin. If “Nessus” says otherwise, then you should check with them.
Q: Upon further investigation, files which should have been replaced by the update are still at their “older” version. What happened and how do we remediate this problem?
A: Timestamps are a bit problematic, so it is best to rely on version numbers to determine if a file has been updated or not - this said, the first thing that you should do is verify that all requirements of an update are met, such as reboot requirements. The second thing is that you should verify if the update has been properly installed, by using the criteria listed in the bulletin. If you are certain of both of these things, we encourage you to call Microsoft support to start an investigation. As a reminder, Customer Service and Support is 1800-PCSAFETY
Q: Are all updates in wsusscn2.cab ?
A: Yes, they are. We did experience a small problem with the catalogue yesterday, requiring us to revise the catalog a little later in the day. You should find the current catalogue is complete.
Q: To mitigate the risk of MS09-006, do you recommend disabling metafile processing?
A: This is a valid workaround, however, you should be aware of the impact of workarounds before implementing them. These impacts are listed in the bulletin. Specifically, turning off processing of metafiles may cause the appearance of the output from software, or system components, to decrease in quality. Turning off processing of metafiles may also cause software or system components to fail completely. This workaround has been identified to have a potentially significant functionality impact and should be evaluated and tested carefully to determine its applicability
Q: Sounds like WPAD functionality is being removed. Is that the case? If not, how can the update differentiate between a genuine WPAD query, and an attack? Are you simply preventing dynamic registration of WPAD?
A: The security update does not remove the functionality. If the name WPAD is in the blocklist, it will block all queries. If you legitimately require it to be resolved, it should be removed from the blocklist and add the correct WPAD record in DNS. We are not preventing dynamic registration - this is still allowed, but the queries are being blocked based on the blocklist.
*This posting is provided “AS IS” with no warranties, and confers no rights.*