Today we published the Questions & Answers from the August 2010 Security Bulleting webcast. We answered a total of 17 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them.

The video covers the core part of the presentation Adrian Stone and I gave during the webcast. We talk about the 14 bulletins for August and Security Advisory 2264072.

Please join us for our next scheduled webcast where Adrian and I, along with a room full of subject matter experts, will present on the Security Bulletins for September and try to answer all your questions live.

Date: Wednesday, September 15, 2010
Time: 11:00 a.m. PDT
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454433&EventCategory=4&culture=en-US&CountryCode=US  

Thanks!

Jerry Bryant
Group Manager, Response Communications

Hello –

During today's webcast our team of technical experts answered over fifty questions regarding the August 2010 Out-of-Band Security Release update questions.   Click here to review the entire list of questions and answers from today's Out-of-Band webcast Q&A page.

Also, here is the link to the Q&A index page for your review -  in case you wanted to view any of the past 12 webcast Q&A's.

As always, customers experiencing issues with the installation of today's security update should contact our Customer Service and Support group:

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

We look forward to your joining us during our regular monthly webcast on August 10, 2010.  Click here to register

Thanks!

Christopher Budd

Sr. Security Response Communications

Last week Adrian Stone and I conducted a webcast to cover the Internet Explorer out-of-band security bulletin release. We only spent a short period of timing on the presentation and then spent the rest of the time answering customer questions which you can read here.

There were some interesting questions and hopefully those who attended came away with a better understanding about how to better protect themselves from emerging threats. One resource we referred customers to several times is a new blog post by the Microsoft Malware Protection Center (MMPC) where they chart attacks against CVE2010-0806 by local:

http://blogs.technet.com/mmpc/archive/2010/03/30/active-exploitation-of-cve-2010-0806.aspx

To be clear, this data comes from attempted exploits of the vulnerability against customers who are protected by Microsoft security products such as Microsoft Security Essentials and Microsoft Forefront Client Security, etc. In these cases, the exploit failed because mitigating signatures are in place (see article for details). One of the questions we got in the webcast was:

“If my malware protection is updated and covers this vulnerability, am I covered throughout the normal update cycle?”

This would only be true for known exploits and not the vulnerability itself. Once we find a new exploit, the MMPC can develop and deploy a signature for it. Applying the update addresses the vulnerability itself and is why we recommend that as the priority in addition to upgrading to the latest version of Internet Explorer (IE8) if you have not done so already.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Our next regularly scheduled bulletin release is Tuesday April 13, so that means we will be conducting another public webcast on April 14. We invite you to attend that webcast and bring any questions you have regarding the April release and we will try to answer them all live on the air. Here is the registration information:

Date: Wednesday April 14
Time: 11:00 a.m. PDT (UTC –8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

*This posting is provided "AS IS" with no warranties, and confers no rights*

Today we published the Questions & Answers from the March 2010 Security Bulleting webcast. We answered a total of 13 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them.

The video covers the core part of the presentation Adrian Stone and I gave during the webcast. We talk about the two bulletins for March, a bulletin re-release and Security Advisory 981374.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Please join us for our next scheduled webcast where Adrian and I, along with a room full of subject matter experts, will present on the Security Bulletins for April and try to answer all your questions live.

Date: Wednesday, April 14
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

Thanks!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

To clarify what the bulletin states, if you do not have any Windows 2000 SP4 clients on your network then you do not need to apply the SQL Server update that corresponds to the version of SQL Server you are running. In this case, you would only need to apply the update for the client operating systems on your network. This is because on platforms newer than Windows 2000 SP4, the operating system will use its own version of the affected component (gdiplus.dll) rather than the one distributed by the RSClientPrint ActiveX control through SQL Server Reporting Services.

In the video below, Adrian Stone and I go in to details on each bulletin to cover the vulnerabilities, affected platforms, attack vectors, and mitigations:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Next month we will host our live security bulletin webcast on November 11 at 11:00 am Pacific time (UTC -7). To register for that webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant

There were several questions about MS09-028 and MS09-032. These security updates addressed two open security advisories (971778 and 972890 respectively). One common question was “if I installed the Fix it workaround in the advisory, do I need to uninstall it before installing the update in the bulletin?”. The answer to that question is no, you can install the security update right on top of the Fix it workaround.

Another area where we were asked for clarification was if the cumulative security update of ActiveX Kill Bits contained the kill bit for the OWC advisory (973472). Good question. The kill bit provided in the advisory is not part of MS09-032. The issue discussed in the advisory is still under investigation and when that is complete, we will take appropriate action to protect customers. Meanwhile, we encourage all customers to evaluate and apply the workaround as quickly as possible.

With that, here is the complete list of questions and answers and I invite you to view the video below from today’s webcast.

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) Zune Video (WMV)

Please join us August 12th for our next regularly scheduled webcast following the August bulletin release where we will again have a room full of subject matter experts to answer all of your questions.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*