Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Group Manager, Response Communications
Website: TechNet/security
Chat Topic: May 2010 Security Bulletin Release
Date: Wednesday, May 12, 2010
Q: Is Outlook Express installed by default in a Windows 2003 installation?
A: Outlook Express was included as an in-box component of Windows Server 2003. While it is less likely to be used on server systems, it is still present and a security update is available for these systems. We recommend installing it to ensure the system is protected even if the application is used accidentally.
Q: If I have installed Outlook as the primary email application have I created a sufficient mitigation for the MS10-030 exploit? A: Yes. Outlook is not vulnerable to this specific vulnerability and cannot be attacked. However, we still recommend installing this security update as it addresses the vulnerability in inetcomm.dll, a library which is used by the lightweight e-mail clients Outlook Express, Windows Mail and Windows Live Mail. While Outlook is not vulnerable, these three applications would still be vulnerable if used accidentally by the user. Hence we do recommend installing this security update even to those systems where Outlook is set up as the primary e-mail application.
Q: Is Office 2000 still supported? I was thinking that support was discontinued at the same time as Windows 2000 Service Pack 4. A: Per the Microsoft Product Lifecycle tool Office 2000 retired from support on 7/14/2009. Support for Windows 2000 ends on 7/13/2010.
Q: We are now seeing KB976002 in our list of available updates. It states the patch is for Europe Only, however we are in North America. Why does this show up for North American customers? A: The Browser Choice Update, KB976002: If your computer’s regional settings are set to one of the countries or regions in the European Union you will be offered the update through Windows Update. If you are using Windows Server Update Services (WSUS), the update will be listed on your WSUS console independent of your regional settings as described in KB894199. For more information about the Browser Choice Update, there’s a website that describes it in detail: http://windows.microsoft.com/en-GB/windows/what-is-the-browser-choice-update
Q: What is the status of a patch for the SharePoint Cross-Site Scripting (XSS) issue? A: We are working to produce an update for this issue but do not have a date for release at this time.
Q: Do you see any chance for another attack vector changing the existing mail preferences/settings or adding a new mail account that would point to a malicious mail server? A: No such attack vectors have been identified during our investigation. A user would have to manually configure a malicious server and check mail using it, or an attacker would have to alter data in transit on the network for this vulnerability to be exploited (which is the man-in-the-middle scenario). An attacker cannot remotely change mail preferences or settings without convincing the user to make these changes his or her self.
Q: What is the best way to add a patch to System Center Configuration Manager (SCCM ) that is not automatically downloaded via an Update List ? A: Please review the documentation that is available on http://www.microsoft.com/systemcenter/
Q: Where can I find information about Windows Activation Technologies?
A: You should review the Genuine Windows Blog for additional information which is linked here - http://blogs.msdn.com/wga/archive/2009/05/07/windows-activation-technologies-activation-and-validation-in-windows-7.aspx