December 2013

 

December 2013 Security Bulletin Webcast Q&A

Hosts:             Jonathan Ness, Security Development Manager
                        Dustin Childs, Group Manager, Response Communications

Website:         TechNet/Security
Chat Topic:     December 2013 Security Bulletin Release
Date:              
Wednesday, December 11, 2013

Q: Why is the update from Microsoft Security Advisory 2905247 being released through a security advisory rather than a security bulletin?
A: The update provided by Security Advisory 2905247 does not directly address a security vulnerability. Instead, it aides administrators by preventing their ASP.NET site from entering into a vulnerable state.

Q: For the Authenticode change in Microsoft Security Advisory 2915720, what will happen in June 2014?
A: Once enabled, the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure.  After June 10, 2014, Windows will no longer recognize non-compliant binaries as signed.  The advance notice and time allows for binary authors (websites and applications) to make necessary changes to ensure customers can access their content.

Q: Regarding Microsoft Security Advisory 2915720, can I enable the signature verification behavior in advance of June 10, 2014? 
A: Yes. Customers who choose to enable the new Authenticode signature validation behavior before June 10, 2014 can do so by setting a key in the system registry. Once the key is set, Windows Authenticode signature verification will no longer recognize binaries with Authenticode signatures that contain extraneous information in the WIN_CERTIFICATE structure.

Q: Does the Exchange update (MS13-105) contain any security-related changes to functionality?
A: No, Exchange Server 2013 Security Updates only contain fixes for the issue(s) identified in the security bulletin. Update Rollups for Exchange Server 2007 and Exchange Server 2010 may contain additional fixes but do not for this particular release. The update rollups which address the issues in this bulletin contain only security fixes which have been released since the previous update rollup for each product became available.

Q: We are using MS Lync for voice/phone calls. When installing MS13-096 while on a live voice/phone call, will it disrupt the call?
A: Yes, Lync calls will be affected while installing MS13-096. FAQ in the bulletin also addresses this question.

Q: Has there been an update released to correct the broken out of office functionality that was caused by patch KB2837618 last month?
A: We are actively working on a fix when it is completely tested.

Q: Regarding MS13-096, does the AU/MU client correctly detect and apply the update for Office 2007 if only the Office tools (MODI) are installed on a supported Windows OS?
A: The detection looks first for Office SKU, and for relevant binaries, and will then apply the security update and it ignores the OS.

Q: So on local denial of service, what about terminal servers? And what about the scenario where someone can compile and run a program on a terminal server to cause denial of service?
A: Terminal Servers are affected by this vulnerability and we recommend applying security updates. Please refer to the CVE FAQ for more information: https://technet.microsoft.com/en-us/security/bulletin/ms13-101

Q: If I didn't install security updates this week would Microsoft Security Essentials have already been updated and so block any attacks that Microsoft update would block automatically?
A: While Microsoft security essentials can detect attacks, it is a reactive tool and part of defense in depth. It is not a replacement for fixing vulnerabilities and applying updates.

Q: When will the update for Microsoft Security Advisory 2914486 be released?
A: We will continue to work to complete the update and will release it when it has met our quality bar.

Q: Will Advisories be available on WSUS? I can't see them.
A: If an advisory is “security lite,” then it can be seen in WU/WSUS. If it’s not marked as security lite, then it will not show up there. For advisories that are not for Microsoft products, there will never be an update. For the recent .NET advisory, it was DLC-only, so it will also not show up in WU/WSUS.

Q: Would KB2905247 cause Remote Web Access (RWA) to stop working on Small Business Server 2011?
A: No, it will continue to run on Small Business Server.

Q: Microsoft Security Advisory 2916652 lists Windows Phone 8 as affected, but not WP7/7.5. Is Certificate 'AC DG Trésor SSL' included in WP7 and 7.5, and if so will an update be issued?
A: Microsoft Security Advisory 2916652 addresses Windows Phone 8. Windows Phone 7 and 7.5 customers are not impacted.

Q: Is there a webcast or resource available for non-security updates you mentioned in regards to KB2837618?
A: KB2837618 discusses Microsoft Outlook. If you want a reference to resources for non-security updates for Outlook, visit the Outlook Team blog at: http://blogs.office.com/b/microsoft-outlook/

Q: In the past several months there have been a high number of patches that have broken functionality of Office, particularly Office 2013. This has caused a lot of complaints and anger from my clients that I have updated. Can you address this and what is being done to prevent it?
A: We are very aware of the impact the recent issues have caused with our customers.  Our plan is to implement changes in our release process that will try to capture these types of issues before they reach our customers.  We take these issues very seriously and will work hard to prevent situations like this in the future.

Q: How can I tell if I have Fix its installed that I no longer need? OR Is there a reporting tool to audit Fix its applied to a system, particularly with capability to flag obsolete Fix its? Is this or could this capability be added to Baseline Security Analyzer?
A: MBSA does not currently support scanning for possibly unneeded Fix its installed on your system. This feature will be evaluated for inclusion in future versions and tools.

Q: Before I release updates to my organization I like to wait a few days and see what problems people are having, even before releasing to my “test/pilot” computers. Where is the best place to go on the web to review problems with updates? The WSUS forum or system center forum or another place?
A: The bulletins are updated with known issues and corrective actions as they are discovered. The link to known issues is found in the first table of the bulletin labelled “Knowledge Base Article.”