February 2013 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: February 2013 Security Bulletin Release Date: Wednesday, February 13, 2013
Q: Does MS13-009 completely replace the December Internet Explorer update and the January OOB release?
A: Yes. This bulletin supersedes all previous updates.
Q: Does MS13-009 on IE10 (Windows 8/RT) include Adobe Flash 11.6.602.167, or is Adobe Flash on Internet Explorer 10 only serviced via MSE 2755801?
A: MS13-009 on Internet Explorer 10 does not include Adobe Flash 11.6.602.167. Adobe Flash on Internet Explorer 10 is and will continue to be serviced via MSE 2755801.
Q: Why weren’t MS13-009 and MS13-010 combined into one bulletin?
A: MS13-009 is a security update that resolves 13 vulnerabilities in Internet Explorer. MS13-010 is a security update that resolves one vulnerability in Microsoft’s implementation of Vector Markup Language (VML). The VML vulnerability could allow remote code execution if a user viewed a specially crafted webpage using Internet Explorer.
Q: When was the last time that Microsoft released two Internet Explorer-related bulletins?
A: The last time Microsoft released two Internet Explorer-related bulletins was June 2011.
Q: Can I apply the update for Microsoft Exchange outside the update rollup?
A: Security updates for Microsoft Exchange, including those addressed by MS13-012, are included as a part of Update Rollups for Microsoft Exchange and cannot be installed outside of the Update Rollup. For Update Rollup 10 for Microsoft Exchange Server 2007 Service Pack 3 (KB2788321), see Microsoft Knowledge Base Article 2788321. For Update Rollup 6 for Microsoft Exchange 2010 Service Pack 2 (KB2746164), see Microsoft Knowledge Base Article 2746164.
Q: If I disable WebReady document viewing in Outlook Web Access, does that mitigate the Oracle vulnerability (MS13-012) in lieu of applying the security update?
A: Disabling WebReady document viewing does mitigate the vulnerability.
Q: In the past, similar updates to .NET have been rated Critical. Why is update MS13-015 rated Important?
A: This security update is rated Important because of previously deployed mitigations to prevent browse-and-own scenarios, in which an attacker lures someone to open a malicious website.
Q: Why are there so many CVEs (30) addressed in bulletin MS13-016?
A: The 30 vulnerabilities share the same root causes: insufficient validation or locking of win32k objects after a user-mode callback.
Q: Regarding MS13-020, are there any suggestions to filter/scan RTF files to see if they contain ActiveX objects?
A: We do not offer a way to find RTF files that have an embedded Active/OLE object; however, we do provide guidance to prevent ActiveX controls from running Microsoft Office. This can be found in the work-arounds section of the vulnerability in the bulletin.
Q: The latest exploits for Adobe Flash and Adobe PDF are able to bypass EMET 3.0. Any chance we’ll see the 3.5 ROP mitigations officially released soon?
A: We are working toward a full release of EMET 3.5; until then, you can download the technology preview release of EMET 3.5 at: http://www.microsoft.com/en-us/download/details.aspx?id=30424.
Q: Windows RT is only serviced via Windows update (no WSUS or MBSA support), but I am unable to find file details in the KB articles to manually verify correct patch installation.
A: The experience is the same on Windows RT devices as other Windows systems. The only article found on this is a little old but the directions still hold true, http://technet.microsoft.com/en-us/library/cc776518(v=ws.10).aspx. On Windows RT, go to control panel à programs à view installed updates.
Q: Is the Win32/Sirefef component of the Malicious Software Removal Tool (MSRT) using the same detection/removal capabilities that are in the Microsoft Safety Scanner (MSERT)? Will it remove the malicious rootkit threat and also clean/restore the infected Windows OS components/services that are injected/deleted/replaced by the malicious Sirefef threat?
A: MSRT is using the same capabilities as MSERT. We will remove the threat and attempt to restore the services disabled/damaged by Sirefef.
Q: In previous bulletins, there was a “bulletin search” spreadsheet with a column that provided information about what bulletin was superseded with the new bulletin. Are you planning on providing this information again? Currently, you’re stating that this bulletin supersedes all previous bulletins without mentioning what bulletins are superseded.
A: Per customer feedback regarding accuracy, the “superseded by” column was removed. There are no plans to add it back at this time.
Q: Where can I find more information about the free IIS tool?
A: You can find more information by visiting the blog post describing ModSecurity IIS at http://blogs.technet.com/b/srd/archive/2013/02/11/introducing-modsecurity-iis-2-7-2-stable-release.aspx.
Q: What is Microsoft XML Core services used for and are they necessary to install?
A: Microsoft XML Core Services allows customers who use Java Script, Microsoft Visual Basic Scripting Edition, and Microsoft Visual Studio 6.0 to develop XML-based applications that provide interoperability with other applications that adhere to the XML 1.0 standard. For more information, see the MSDN site, MSXML. There are no MSXML issues in this month’s release.