February 2014 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager Dustin Childs, Group Manager, Response Communications
Website: TechNet/Security Chat Topic: February 2014 Security Bulletin Release Date: Wednesday, February 12, 2014
Q: KB2862966 is listed as a pre-requisite for KB2862973. Our update deployment software installs KB2862973 before KB2862966. What is the impact if KB2862973 is installed first or at the same time before a reboot? Are there any other known issues to be aware of for these updates?
A: You must install KB2862966 prior to KB286973 as it contains associated framework changes to Windows that improves the management of weak certificate algorithms. Microsoft is unaware of any issues at this time.
Q: There has been lots of mention to test the .NET patch separate from all the other updates. Do you recommend this be done, and why or why not, or should all updates be applied and tested together?
A: The .Net Framework updates should be tested just as any other update would be tested; there is nothing unique to these .Net updates that would require additional or separate testing.
Q: For MS14-005 - What versions of XML Core Services including Service Packs are required to be applicable?
A: MS XML Core Services 3.0 is affected for the OS versions listed within the bulletin. The lifecycle and service mode of MSXML 3.0 is subject to the hosting Microsoft Windows operating system so the service pack levels are determined by the version of the operating system. Additional MS XML version info is available at https://support.microsoft.com/kb/269238.
Q: Will the April 8, 2014 Security Updates include Windows XP security issues or will the March Security Updates be the last for Windows XP?
A: The April 8th bulletin release would include security updates for Windows XP, should there be any vulnerabilities that affect Windows XP. Microsoft will stop providing Windows XP Security updates only after the April Security bulletin release.
Note: Setting aside the security update question, Microsoft announced last month that we will continue to provide updates to antimalware signatures and engine for Windows XP users through July 14, 2015. For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials. For further details visit this Microsoft Malware Protection Center (MMPC) Blog Post: Microsoft antimalware support for Windows XP (at blogs.technet.com/mmpc).
Q: Will there be any Lync 2013 UI or functionality changes introduced with the Feb Security release? i.e. Icons, spell checking...changes that are not transparent to end-users?
A: None of the February security bulletins apply to or affect Microsoft Lync. So, since none of this month's bulletins affect Lync, there are no security bulletins that touch or change Lync in any way. If other, non-security updates are released this month that apply to Lync, that might be another story, but that is outside the scope of the security release. One place you can check for information on Office non-security updates is the Office team blog (blogs.office.com)
Q: Does Security Advisory 2915720 have any whitelisted date ranges or binaries like the MD5 checksum? Will this update affect the operation of sfc.exe?
A: Microsoft Security Advisory 2915720 specifically changes the verification behavior for Authenticode signed binaries by disallowing extraneous information in the WIN_CERTIFICAT structure. There are no whitelisted date ranges or binaries incorporated in this behavior change.
System File Checker is not using our Authenticode verification libraries. It is not affected by this update.
Q: Is there any guidance available on how to test authenticode signature verification changes that will be enabled on 6/10? What's MS's guidance on what and how to test?
A: Microsoft recommends that customers potentially impacted by the change to Authenticode signature verification, which will become default behavior in June 2014, should test their signed binaries with the added functionality enabled by the registry key provided in Security Advisory 2915720. Links to additional information about code signing, and what is permitted in the WIN_CERTIFICATE structure, are included in the security advisory.
Q: When will be the last day Microsoft provide updates for Office 2003 and Windows XP? Will April 8, 2014 be the last time we receive updates unless we purchase extended support?
A: The April 8th bulletin release would include security updates for Office 2003 and Windows XP, should there be any vulnerabilities that affect these products. Microsoft will stop providing Office 2003 and Windows XP Security updates only after the April Security bulletin release.