Inside MSRC: Visual Studio flaw, tool extensions explained

Christopher Budd of the Microsoft Security Response Center sheds detail about a flaw in Visual Studio 2005 and explains that support for Software Update Services 1.0 will be extended.


Microsoft Windows, Microsoft Visual Studio, and a Windows bulletin that applies to Microsoft Internet Explorer (IE) are addressed in the final Microsoft monthly security bulletins for 2006.

None of the vulnerabilities in this month's bulletin affect Windows Vista or IE 7. If you are running IE 7, this month's IE bulletin doesn't apply to you. Also, if you're one of the lucky people who are running Windows Vista, the Windows bulletins don't apply to you.

In this final column for 2006, I'll cover information that we at Microsoft want you to understand as you evaluate, test and deploy this month's bulletins for your environment. First, I will provide information related to our detection and deployment tools. Then, I'll give some information about this month's bulletins that will be helpful for risk assessments.

About Inside MSRC:
As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:

Inside MSRC: Microsoft details security tool update

Update on WSUSSCAN.CAB issue

In last month's column I discussed how we were making a new WSUSSCAN.CAB architecture available and how customers who use either Systems Management Server Inventory Tool for Microsoft Updates (SMS ITMU) or Microsoft Baseline Security Analyzer (MBSA) 2.0 in offline scan mode should download and begin to deploy the updated versions, which have been designed to support the new architecture.

I noted that this was due to an architectural limitation in the old WSUSSCAN.CAB architecture. We had to remove information about obsolete security updates because of that limitation. I noted that while we would continue to support the old architecture through March 2007, the limitation would increasingly run a risk such that we would have to remove information about security updates that are now obsolete.

For the December 2006 security bulletin, we are still able to support the old WSUSSCAN.CAB by removing information about obsolete security updates. However, we estimate that in January 2007 we will have to begin removing information about older but current security updates. Because of this, we are very strongly encouraging customers, especially those using the SMS ITMU, to download and deploy the updated tools as soon as possible.

In the December 2006 security bulletin, we have removed information about security updates for Windows XP Service Pack 1 from the WSUSSCAN.CAB. As of October 2006, Windows XP SP1 is no longer publicly supported for security updates, so these updates are now technically obsolete. Once again, we strongly encourage anyone running Windows XP SP1 to upgrade right away to a publicly supported version of Windows: either Windows XP SP2 or Windows Vista.

I do want to note, though, that we have information about Windows XP SP1 security updates in the WSUSSCN2.CAB file.

SUS 1.0 deadline

Next I want to make you aware of a change we've made regarding the expiration of support for Software Update Services (SUS) 1.0. Based on customer feedback, we have extended the expiration of SUS 1.0 until July 10, 2007. SUS 1.0 will support the December 2006 monthly security bulletin. SUS 1.0 will also support the Microsoft monthly security bulletin until the July 2007 release. The July 2007 Microsoft monthly security bulletin will be the last release supported by SUS 1.0. Although we have made this extension to the expiration, we encourage customers to view this as additional time to complete their migrations that are already underway to Windows Server Update Services (WSUS). We strongly discourage any customers from using this time to pause or halt their migration. You can find information about WSUS, including information about how to migrate from SUS to WSUS, at the WSUS Web site.

MS06-073

Turning from detection and deployment news to information you can use for risk assessment of this month's bulletin, I want to draw your attention to MS06-073.

MS06-073 addresses an issue that we first discussed in Microsoft Security Advisory (927709).

This vulnerability is in the Windows Management Instrumentation (WMI) Object Broker, which is an ActiveX Control that the WMI Wizard uses in Visual Studio 2005. Because the WMI Object Broker is an ActiveX Control, the vulnerability can be exploited through browsing-based scenarios.

However, it is important to note that Visual Studio 2005 must be installed for the control to be present and for a system to be vulnerable. Further, customers running Visual Studio 2005 on Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected by the vulnerability. Visual Studio 2005 customers running Internet Explorer 7 with default settings are also protected by the ActiveX Opt-in feature in the Internet Zone. This means that those customers running Internet Explorer 7 are not at risk until the user explicitly chooses to activate the control. Find out more about the ActiveX Opt-in feature. Because this issue is public and has been subject to very limited attacks, we encourage Visual Studio 2005 customers to deploy this update as soon as possible.

Enterprise Scan Tool

In looking at deployment options for the month, three bulletins are supported by the Enterprise Scan Tool (EST) because they are not fully detected by MBSA 1.2. MS06-073, MS06-076 and MS06-077 are all supported by the EST for those customers using MBSA 1.2. All the bulletins this month are supported fully by MBSA 2.0. Conclusion

As we do each month, we will be holding our TechNet Security webcast to cover this month's bulletins the day after release. This month's webcast will be on Wednesday, Dec. 13, 2006, at 11 a.m. PST. During the webcast's live broadcast, we'll answer your questions on the air as well as review information about this month's bulletins. If you can't catch the webcast live, you can always view it on demand. You can register for the webcast and view it on demand.

Be sure to mark Tuesday, Jan. 9, 2007, on your calendars. That will be the first Microsoft monthly bulletin for 2007 and the day the next edition of this column will be published.

Read more on IT risk management