January 2013 Out-of-Band Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: January 2013 Out-of-Band Security Bulletin ReleaseDate: Monday, January 14, 2013
Q: MS13-008 is not a cumulative update for Internet Explorer and states it will cause problems if MS12-077 is not installed. If MS12-077 is pending along with MS13-008, will standard install order prevail in that MS12-077 will install before MS13-008? Additionally, can these be chained together with a single reboot or are these updates mutually exclusive requiring separate reboots?
A: If the user machine doesn’t have MS12-077 installed. The Windows Update client will detect both MS12-077 and MS13-008 applicable to the machine. Although they are not chained together, it will be one reboot after Windows Update client detects them both.
Q: If EMET was used to mitigate the possible attack, should this be removed once the patch is successfully installed?
A: EMET is not only effective to mitigate possible attacks of this issue, but it's a useful tool to mitigate several classes of attacks. EMET adds several layers of mitigations to the ones already present in the operating system. If EMET works for your environment we recommend keeping it enabled to mitigate future attacks.
Q: We've had issues with the "default form button not being selected" for many of our users after installing the Fix-it. Will this side effect be resolved by installing MS13-008 or uninstalling the fixit post patching?
A: Yes. This compatibility issue is only a side effect of the Fix-it solution. It will not be a problem with the new MS13-008 bulletin. Also, you can install the MS13-008 bulletin while the shim Fix-It is in place, and then later disable the Fix-It. You do not need to disable the Fix-It first.
Q: Does this patch in any way affect the end-user browsing experience?
A: MS13-008 needs MS12-077 to avoid compatibility issues. Without MS12-077 installed with MS13-008, the user might see a blank page or see navigation cancellation. With both updates installed, there will be no change to the end-user browsing experience.
Q: Why wasn't this Out-of-Band update released during the regular Update Tuesday? Did the holidays affect the release date?
A: The holidays did not affect the release of the update. We did work over the holidays to monitor the threat landscape and in parallel worked on the update to ensure it is of the same high quality to help protect customers from attacks.
Q: Would you expect this to be in the next Internet Explorer cumulative update?
A: Yes, it will be included in a future Internet Explorer cumulative update.
Q: Why are Internet Explorer 9 and 10 are not affected by this vulnerability?
A: Internet Explorer 9 and Internet Explorer 10 are not affected because they don't contain the code responsible of this issue.
Q: What is the severity rating if Enhanced Security Configuration is NOT enabled?
A: The severity rating of the issue for a server system without Enhanced Security Configuration enabled is Critical.
Q: There was news that the Fix-it released under Security Advisory 2794220 could be bypassed. Can you please confirm that this update will not be bypassed as the Fix-it was?
A: Yes, we can confirm that the update addresses the attack scenarios including the Fix-it bypass that was in the news recently.
Q: Specifically thinking servers, NOT desktops, does this affect XML transfers between machines? Is there any way that an incoming XML package could exploit this problem?
A: No, the incoming XML package will not exploit this issue.
Q: Is it possible to upgrade to Internet Explorer 9 instead of deploying this patch? The upgrade should not require reboot. We cannot get a change window quick enough to deploy this update to cover the vulnerability due the reboot required.
A: Internet Explorer 9 and 10 are not affected by this vulnerability and MSRC encourages customers to upgrade to the latest versions of our products, as they include the latest security engineering features.
Q: Is there one download that I could use to push out to the client desktops for KB2799329 for multiple versions of Internet Explorer in my environment?
A: No, for KB2799329, for each version of Internet Explorer, the specific package has to be chosen and installed. And note that KB2799329 needs KB2761465 to avoid functional break. The corresponding MS12-077 package KB2761465has to be chosen and installed as well to avoid function breaks.
Q: Since MS12-077 is a cumulative update, if it is *not* already on a server, is a reboot required after it's applied before MS13-008 can be installed, or will one reboot take care of everything?
A: If MS12-077 is not already installed on the machine, MS12-077 and MS13-008 will pop up in the Windows Update client at the same time and one reboot will take care of everything.
Q: It appears that the advisory page has been updated with the release information of MS13-008 but the link in the advisory to the "Fix-it" to disable the MSHTML shim has been removed. Where can we get the link for the fixit disable?
A: All relevant information about the fix it solution can be found in the KB article for this bulletin: http://support.microsoft.com/kb/2799329
Q: Can we install KB2798897 and MS13-008 at the same time (I'm installing to servers).