April 2013 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: April 2013 Security Bulletin Release Date: Wednesday, April 10, 2013
Q: The bulletin for MS13-028 says "yes" for known issues under the "Knowledge Base Article" section of the bulletin. However when you click the link to go to the KB for 2817183, it is not clear what the "Known Issues" being referred to are.
A: What the designation refers to here is that there is additional information about the bulletin in the associated KB Article. If you look at the KB Article in the table, we see that there is a list of non-security hotfixes that will be installed as part of this cumulative security update for Internet Explorer.
Q: Do you know of any issues with MS13-021, the IE bulletin from last month? We had a deployment issue while we performed QA testing prior to deployment.
A: We are not aware of any issue with last month’s IE cumulative update, MS13-021. As of note, the most recent IE cumulative update (MS13-028) will supersede previous cumulative updates and, as always, if you have deployment issues they can be escalated to Microsoft CSS.
Q: Is the MS13-029 vulnerability presented in this update mitigated if connections via TCP/UDP 3389 are blocked inbound at the perimeter?
A: MS13-029 documents issues in the Remote Desktop Client ActiveX control that runs in Internet Explorer which uses ports 80 and 443 by default. This does not affect Remote Desktop Server (which runs on port 3389). Firewall rules to block port 3389 would not be effective as a mitigation for this vulnerability.
Q: When the ActiveX control related to MS13-029 is exploited, how does the attacker connect to the RDC instance? Is the connection tunneled over the web protocol or is a separate connection opened to the exploited system via TCP/UDP 3389?
A: The vulnerability is a remote code execution issue when the ActiveX control is loaded in Internet Explorer; risk can be mitigated by restricting access to the affected DLL on the client. Please see the bulletin workaround section.
Q: In MS13-029, why is there no RDP 7 client updates for Windows Server 2003?
A: Windows Server 2003 is not affected by this issue.
Q: Related to MS13-029, how do you determine what version of RDC is running on your system? And if it's 5.1, is this update necessary?
A: The Remote Desktop Connection Client 5.1 is out of support, and so it was not evaluated as part of MS13-029. Legacy clients should be updated to be in support. To determine the version of your Remote Desktop Connection Client you will need to look for these two files:
Note that "mstscax.dll" is the file that contains the vulnerability that is being addressed in MS13-029.
Q: In MS13-031, can this possibly be executed by visiting a malicious web site?
A: The vulnerabilities addressed in this update are local elevations of privilege and are not known to have any remote vectors for exploitation.
Q: For MS13-034 on a Win 8 system with UEFI and GPT formatted partitions, how can the permissions be set since the volume is not NTFS?
A: The vulnerability in MS13-034 is not related to UEFI and GPT formatted partitions. It's the root directory permission settings that may allow the exploitation of this vulnerability.
Q: Since IE10 contains Adobe Flash, will Adobe release information ahead of patch Tuesday like the Microsoft Advance Notifications? Also does this month's IE 10 patch include Flash 11.6 or 11.7?
A: Adobe handles Flash security, notification and documentation. Please refer to the linked APSB13-11 as a definitive source of information.
Q: Update 2823180 for Windows Management Framework 3.0 was released this month. Will the original WMF 3.0 installer under KB2506143 be re-released via MS Update or WSUS?
A: Currently there are no plans to re-release Windows Management Framework 3.0.