Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Senior Security Program Manager
Website: TechNet/security
Chat Topic: April 2009 Security Bulletin
Date: Wednesday, April 15, 2009
Q: I understand that Windows Server Update Service (WSUS) v2.0 Service Pack 1 lifecycle support ends April 2009. My question is, will WSUS v2.0 Service Pack 1 continue to be a working tool beyond this month?
A: We plan to make most new updates, including the latest version of Windows Server Update Service (WSUS) itself, available to older versions of WSUS. The obvious exception will be those updates that pertain to features only present in the newer version of the WSUS server.
Q: Since Windows Server 2003 Service Pack 1 Lifecycle ends on 4/14/2009, will the April Updates install on this Operating System (OS)? If so, is this the last time they will apply to this OS?
A: As a friendly reminder, the “affected software” section in the security bulletin is the resource for this information – it allows you to determine whether an update applies to a specific platform. Looking at the affected software section in MS09-010 for example, this update lists Windows Server 2003 Service Pack 1 as applicable, so yes, MS09-010 will install on Windows Server 2003 Service Pack 1.
Q: Will any of the updates resolve the blue screen issue with KB958690 ( MS09-006)?
A: We’re not aware of any widespread issues with KB 958690 (MS09-006). If you are experiencing blue screens or other issues, please visit Microsoft Support (www.microsoft.com/support for options) for security update support.
Q: I have installed Windows Vista Service Pack 2 and as a result, I did not receive any security updates, 4/14/09; Where does that leave me, as well as others, that installed Service Pack 2 Evaluation copy?
A: Windows Updates with a Critical rating that are not already included in the Service Pack are made available to Windows Vista & Windows Server 2008 Service Pack 2 pre-release versions. For the 4/14 releases there are applicable Windows Updates for MS09-013 and MS09-014. The MS09-013 updates apply to Service Pack 2 Beta and the MS09-014 updates apply to Service Pack 2 Release Candidate.
Q: Access to my production servers are only allowed on port 80/443; outbound traffic is allowed only through a proxy server and to connect to Microsoft website for updating; how concerned should I be if I don’t update my servers?
A: While there are mitigations of varying levels that you can introduce with configurations, Microsoft _strongly _recommends (repeat, strongly recommends) that you evaluate, test and deploy all applicable security updates based upon your own risk assessment, from the security bulletin documentation.
Q: Regarding MS09-013, is this a default component installed for all affected Operating Systems?
A: Yes
Q: Please elaborate on the MS09-013 attack vectors
A: There are three different vulnerabilities resolved in the MS09-013 security update. Information on possible attack vectors are listed in the vulnerability specific Frequently Asked Questions (FAQ) entries. However, WinHTTP, or the Windows HTTP Services, is an API within Windows that offers HTTP connectivity services to both third party and Microsoft applications and services running on a Windows system. An application can call into the API to set up a connection to an external host using HTTP. These vulnerabilities can be attacked by abusing these outbound connections. Generally speaking, this means they will affect connections initiated by Windows HTTP Services to untrusted hosts. For instance, CVE-2009-0086 is a Remote Code Execution (RCE) vulnerability in which an untrusted host to which WinHTTP connects can exploit and compromise the client system using an integer underflow vulnerability. We recommend reviewing the FAQ.
Q: MS09-013 and MS09-014 bulletins address vulnerability CVE-2009-0550. Why do we have two separate bulletins to address the same vulnerability?
A: This security update addresses the NT Lan Manager (NTLM) credential reflection issue for the HTTP attack vector, which includes both the WinHTTP and WinINET Application Programming Interfaces. The fix for WinHTTP is included in MS09-013, whereas the fix for the WinINET API, used by Internet Explorer, is included with MS09-014. This is addressed in the bulletin FAQ.
Q: Can you clarify the situation between MS09-015 and Windows 2000? Why is Microsoft Windows 2000 listed in the Affected Software table without a security impact and a severity rating?
Why is Microsoft Windows 2000 listed in the Affected Software table without a security impact and a severity rating?
A: Microsoft Windows 2000 is listed without a security impact and a severity rating because this update does not have the same fix for Microsoft Windows 2000 as for other supported Windows operating systems. Instead, this update only has a defense-in-depth change specific to Microsoft Windows 2000. The Defense-in-Depth change requires a registry key be edited to enable the fix on Windows 2000. Microsoft recommends Customers extensively test updates prior to deploying them into the environment.
Q: Do you use the Common Vulnerability Scoring System (CVSS) in order to classify your Severity? If not, do you use any other defined standard method?
A: The bulletin severity is not based on CVSS. Details about how severity is determined is found at http://www.microsoft.com/technet/security/bulletin/rating.mspx; more information about how the exploit index is determined can be found at http://technet.microsoft.com/en-us/security/cc998259.aspx
Q: I would like to know if there is an archive for all bulletins that shows the Aggregate Severity and Exploitability Index rating.
A: The Security Bulletin Search page contains an archive of all bulletins that you can search on using different criteria, which does include severity. The Exploitability Index (XI) is only available on the monthly summaries, and the ratings are not intended to be updated into the future, as time can change the factors that we use to make our rating. This said, the monthly summaries that contain the Exploitability Indexes can be accessed at http://www.microsoft.com/technet/security/bulletin/summary.mspx**
Q: In MS09-015, though the title of the bulletin says it is an Elevation of Privilege vulnerability, the details of the bulletin states that an attacker who successfully exploits the vulnerability can run arbitrary code. Then why is this rated as moderate and not critical when it is a remote code execution vulnerability? Would this vulnerability need an attacker to log on locally to the system to exploit the vulnerability?
A: This issue is rated as Moderate due to its blended threat nature requiring additional applications and conditions before being exploitable. By itself it is not a straightforward exploitable condition.
This vulnerability would require an attacker to create a specially crafted file and then convince a user to download the file onto the desktop. The user would then have to launch an application that will open this specially crafted file. However, an attacker would have no way to force users to download such files and place the files on the desktop.
Q: We tested MS09-010 (Office2003-KB960476-FullFile-ENU.exe) on a PC running Windows XP Service Pack 3 and Microsoft Office 2003 Service Pack 3 but it says “The expected version of the product was not found on your system. Please suggest a course of action?
A: This security bulletin affects both Windows and the Office platforms. As the bulletin “affected software” summary lists, this security vulnerability does not affect Microsoft Office 2003 Service Pack 3. However, it does affect the Microsoft Office Converter Pack, which is originally based on older Microsoft Office 2003 code. Hence the security update filename is Office2003-KB960476… However, the software you list that you are running does not require installation of the Office security update, only the Windows one.
Q: On MS09-015 can you explain what the SearchPath is. Is this used in the MS indexing services?
A: The description of SearchPath is that it “searches for a specified file in a specified path.” The SRD has released a blog entry that provides some details regarding SearchPath within the context of the MS09-015 bulletin. This can be found at http://blogs.technet.com/srd. Detailed information regarding SearchPath can be found on MSDN at the URL http://msdn.microsoft.com/en-us/library/aa365527(VS.85).aspx. An easier method than remembering the URL can be done by browsing to http://msdn.microsoft.com and searching for “SearchPath”. It is the first link on the results list. The Microsoft Indexing Service when launching could use this, similar to any other application, to locate library files required for running.
Q: Question regarding MS09-012. This is listed as “Important” but has an Exploitability Index of 1. The only way to exploit this is if the hackers can logon to the machine. But what if a virus gets into the machine which has the logic to exploit this vulnerability then it will have full access to the machine? Then won’t this be critical?
A: The issue addressed is a local elevation of privilege exploit, which rates as Important for affected platforms (see http://www.microsoft.com/technet/security/bulletin/rating.mspx for an explanation of severity ratings). The active attacks and availability of PoC give this an Exploitability Index (XI) rating of the bulletin severity would not change based on malware activity.
Q: The updates for MS09-016 are still not available in SCCM. We have run synchronization multiple times. Is there some reason for the delay? A:** System Center Configuration Manager (SCCM) should be pulling the update manifest from Microsoft Updates. We tested that these updates were indicated for direct Microsoft Updates and via Windows Server Update Services. You might want to verify that the requests to Microsoft Update (MU) are occurring properly. Also, please make sure you have updated your update catalog in SCCM. If you have not updated your catalog the patch definitions for Microsoft Internet Security and Acceleration Server (ISA) will not be contained in your detection.
Q: What about the registry key that is mentioned in MS09-014 that has to be set to be fully protected against CVE-2008-2540? Could you please talk about that a little bit? What problems have been identified by Microsoft which made you leave that registry key out of the patch?
A: During testing, Microsoft identified potential application compatibility issues and recommends that if customers determine they are at risk to the Blended Threat represented by this issue, they perform testing in their environment before rolling out the patch.
Q: On MS09-016, if the html form is presented by IAG instead of Microsoft ISA 2006, is this still considered a vulnerability?
A: No; IAG uses its own forms-auth mechanism that is not impacted by the ISA FBA vulnerability.
Q: For the MS09-012 vulnerability, why isn’t email an attack vector? Why couldn’t the attacker create something to execute and take advantage of the vulnerability remotely?
A: This vulnerability cannot be exploited automatically through e-mail. In order for the issue to be exploited, an attacker would need to execute code on an affected system. This cannot be done automatically via an e-mail message. If an attacker can convince a user to execute code attached to an e-mail, any number of scenarios is possible. See Law #1 of the 10 Immutable Laws of Security at**http://technet.microsoft.com/en-us/library/cc722487.aspx
Q: Is there a link you know of that shows the supported versions of Office and Windows?
A: All Microsoft products and their support status can be obtained by going to http://www.microsoft.com/lifecycle
Q: What do the superscript numbers on the Detection and Deployment slide mean?
A: They reference footnotes at the bottom of the slide that provides exceptions. For example, if a bulletin has a No3,4 listed under MBSA, then MBSA does not support that bulletin update, however, there are two exceptions listed under footnotes 3 and 4 at the bottom of the slide.
Q: For MS09-010, if we are running Windows XP Service Pack 2 and have Outlook 2003 installed, are we protected already, or do we need to deploy MS09-010?
A: Yes. This security update consists of updates for both the Windows platform and Office, as both use similar converters affected by these vulnerabilities. As listed in the affected software table of security bulletin MS09-010, Windows XP Service Pack 2 is an affected platform, and the security update will need to be deployed. Outlook 2003 however, is a component of Office 2003 which is such not affected by this vulnerability. As such given this information you will not require the Office specific update that is also a part of MS09-010.
Q: MS09-010 doesn’t explicitly say that attack code runs in the security context of the user. Does this mean that it can gain elevated administrator privileges under a non-admin context?
A: The vulnerability in MS09-010 does not allow for elevation of privilege. The vulnerability FAQ’s state that an attacker who successfully exploits a vulnerability could run arbitrary code as the logged-on user, and this is accurate.