January 2013 Security Bulletin Webcast Q&A
Hosts: Andrew Gross, Senior Security Program Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: January 2013 Security Bulletin ReleaseDate: Wednesday, January 9, 2013
Q: Is the guidance listed in Security Advisory 973811 new?
A: Microsoft previously advised customers to apply and enable the non-security updates listed in Security Advisory 973811 to help make sure that their computers are as protected as possible.
Q: Can the print spooler issue be exploited in a default scenario?
A: This issue could not be triggered by clients printing to a shared printer unless third party software is installed. A system would need additional software to be affected, such as add-on software shipped by printer manufacturers to monitor the print queue.
Q: Are we aware of non-Microsoft web applications or services that us the MSXML library?
A: We are not aware of any specific application or service using the MSXML library that is under active attack; however, we encourage customers to apply all the security updates provided in the January 2013 bulletin release to help ensure maximum protection.
Q: In the past, similar updates to .NET have been rated Critical. Why is this update rated Important?
A: The severity rating downgrade was the result of mitigations we deployed to prevent browse-and-own scenarios, a situation in which a customer directs their browser to a malicious website able to execute code on their system.
Q: What is an example of a higher Integrity Level (IL) process?
A: The Integrity Level (IL) represents the trustworthiness of running application processes and objects, such as files created by an application. Internet Explorer runs at a Low IL while Windows Explorer runs at a Medium IL.
Q: Are PCI compliant systems affected by MS13-006?
A: In order to be PCI compliant, SSLv2 must be disabled. If SSLv2 is disabled, the issue addressed by MS13-006 cannot downgrade the SSLv3 session negotiation.
Q: What’s the latest on Internet Explorer?
A: We saw the report for stating the Fix it can be bypassed, and we confirmed the Fix it does block all the active attacks we have seen. We continue to work around the clock developing a full security update. We continue to recommend folks either upgrade to Internet Explorer 9 or10, or install the Fix it.
Q: The Print Spooler vulnerability appears to be tied to Level 2 details within the print jobs. If exploited by an authenticated user, could code automatically run on the print server? If so, is EMET a viable workaround if it was protecting the Print Spooler Service?
A: The malicious code in the attack scenario for MS13-001 runs from a client that has access to the print queue, no code is executed on the print server itself. Although EMET can be an effective tool to mitigate exploitation, users who are concerned about exploitation are strongly recommended to prioritize deployment of the MS13-001 update.
Q: MS13-001: Are the systems affected if they are not sharing any printers? I understand that it is the clients that are going to be compromised, so is the patch required on clients even if they are not sharing any printers?
A: The vulnerability requires access to a print queue; it does not require a printer to be "shared.” The client, not the server, is affected in this attack scenario.
Q: Do .NET updates require extra time to install?
A: .NET security updates do not require any extra time to deploy than other security updates. Microsoft has a dedicated testing phase for all security updates to ensure they are of sufficient quality for release. Even with all the testing that we do, Microsoft recommends all customers test updates before deploying them in your environment.
Q: MS13-004: It is an elevation of privilege vulnerability, but the executive summary says "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user." Could you please clarify?
A: This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions. Code Access Restrictions provide a security mechanism to help protect computer systems from malicious mobile code, to allow code from unknown origins to run with protection, and to help prevent trusted code from intentionally or accidentally compromising security. Think of Code Access Security as a form of a sandbox. An attacker could host a website containing a specially crafted .NET application, convince a user to run this application under the security protections provide by Code Access Security and then break out of this restricted environment to obtain code execution in the context of the currently logged on user.
Q: Is there a tool I can use to verify if remote machines have all the installed updates?
A: You can use the Microsoft Baseline Security Analyzer (MBSA) for this function, but note that MBSA is not supported for Windows 8, Windows Server 2012 or Windows RT. Microsoft manageability tools like System Center Configuration Manager have this functionality as well.