August 2014 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager Dustin Childs, Group Manager, Response Communications Website: TechNet/Security Chat Topic: August 2014 Security Bulletin Release Date: Wednesday, August 13, 2014
Q1: For MS14-044 in a clustered SQL 2008 the bulletin states to apply the update to the active node, then the inactive node. That is opposite of what we were told in the past, which was to update the inactive node, fail over SQL to that node, then update the now-inactive node.
A1: Customers can successfully update in either order, for example, either active or inactive nodes first. However, customers may reduce downtime by updating passive nodes first. We plan to revise the guidance for MS14-044 to clarify this point.
Q2: MS14-051 is supposed to download a template with additional policies to make changes for the upcoming ActiveX “blocking”, happening in around 30 days. Installing it on a system with IE11 works but none of the other version patches for IE 8, 9, or 10 create the new policies regardless of OS. Downloading from your site does not work as noted on the blog “… We have tested the steps outlined in the Windows 2008 and above and seeing reports of Access Denied. I strongly suggest to simply install the Cumulative update instead.”
A2: Make sure that you’re running the command to copy the Group Policy files in an elevated command prompt (admin) in order to avoid getting Access denied warnings. Also, be aware that the Group Policy settings are not included in the cumulative update and need to be downloaded separately from the download center.
Q3: Is a minimum version of EMET required to mitigate MS14-046?
A3: EMET can be used to enforce ASLR in applications that use the affected .NET component. All versions of EMET can be used for this, but the operating system needs to support ASLR at OS-level (Windows Vista/Windows Server 2008 and later). The currently supported versions of EMET are 4.1 Update 1 and 5.0. We recommend customers use the most recent version of EMET.
Q4: Regarding the ActiveX-blocking added by MS14-051, what is the notice/publication protocol for changes to versionlist.xml?
A4: There will be a 30-day notice via the Internet Explorer blog for any new (i.e. not Java) outdated ActiveX controls being blocked by this feature. However, as for Java, whenever Oracle updates the Java security baseline, the newly outdated versions of Java will be automatically blocked without notice 30 days after the baseline is updated.
Q5: Our Payroll vendor is still using an old version of Java. Is there a way to prevent the ActiveX checking in MS14-051 until we can get an upgrade?
A5: You can use the Group Policy Objects (GPOs) to disable the feature or to whitelist the payroll vendor's domain.
Q6: Will the IE updates in MS14-051 be made available for XP for folks that have a CSA?
A6: MS 14-051 is critical, so updates will be available for CSA packages.
Q7: After MS14-051 is installed, what is the behavior if the versionlist.xml file is not present?
A7: If the versionlist.xml file is not present, the ActiveX control blocking feature will not block any ActiveX controls. However, by default, this file is automatically downloaded from Microsoft on a regular cadence.
Q8: I had read that the out-of-date ActiveX update would be part of Internet Explorer. But today when I updated my 8.1 machine, it showed up as an optional update that was not part of the IE update. Please explain.
A8: The ActiveX control blocking update is not an optional update, it's a part of the August cumulative update that shipped on Update Tuesday. However, the feature has been temporarily disabled, and will only begin blocking outdated versions of Java starting on 9 September.
Q9: Can you provide the link to the new Group Policies file?
A9: The updated Group Policy settings for Internet Explorer that include the new Group Policies for the ActiveX control blocking feature can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=40905
Q10: If you are running Internet Explorer in a disconnected environment, how would the ActiveX blocking take effect?
A10: The ActiveX control blocking update will only take effect in Internet Explorer if the versionlist.xml file is downloaded from Microsoft, which normally happens the first time Internet Explorer is started after you install the update containing this feature. If this file is never downloaded, the feature will never block any ActiveX controls.