July 2013 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: July 2013 Security Bulletin Release Date: Wednesday, July 10, 2013
Q: For MS13-054, do the updates need to be installed in a certain order?
A: If you need to install more than one of these updates, they can be installed in any sequence.
Q: Which bulletins contain a GDI+ related update?
A: CVE-2013-3129 addresses the following products. You need to install only the updates that correspond to the software you have installed on your systems.
Q: Assuming I have all affected software installed, how many update packages will I need for GDI+?
A: A customer with all affected software installed should apply six total packages. Customers who have non-typical installations (e.g., Lync attendee admin, Lync attendee user, or multiple versions of affected software concurrently installed) will be offered additional packages.
Q: Do you publish a master supersedence (?) table? A: There is detailed bulletin information available in an Excel spreadsheet, including supersedence. The information there can be used to generate a master supersedence table. The link is available at https://technet.microsoft.com/en-us/security/bulletin/ in the Download Detailed Bulletin Information section
Q: I had issues with MS13-046 that caused me to stop deployment. Should I expect to encounter similar issues with MS13-053? Also, does MS13-046 have to be installed before MS13-053?
A: We are not tracking any concerns with MS13-053 at this time. There will always be a possibility that any update may encounter an issue within specific specialized environments, and so this is the reason that we encourage customers to test updates prior to deploying them. As for the second question, MS13-053 fully supersedes(or replaces) MS13-046 for all affected platforms, and you will be fully protected from the issues that are described in MS13-046 if you only apply MS13-053.
Q: Regarding EMET 4.0: Documentation says it requires ".NET Framework 4". Is that .NET Framework 4.0 Client Profile, or .NET Framework 4.0 Full? On Windows 8, if .NET Framework 4.5 is installed, is .NET Framework 4.0 still needed?
A: .NET framework 4.5 that ships in-box on Windows 8 is an in-place upgrade on .NET 4.0 so on Windows 8, .NET 4.0 is not needed as .NET 4.5 is available.
Q: Regarding MS13-055, Would EMET 4.0 block this?
A: Yes, EMET 4.0 mitigates against this potential risk. In fact, we’re aware of targeted attacks attempting to exploit CVE-2013-3166, which is addressed by MS13-055, and these attacks are mitigated by EMET 4.0.
Q: Why does the Malicious Software Removal Tool (MSRT) install and run twice this month? It runs once during the first pass through Windows Update, then if you run Windows Update again it shows that MSRT is needed again. Once it downloads and runs the second time, Windows Update no longer thinks it needs to run again.
A: We are in the process of rolling out a new version of MSRT and to manage the risk, we are releasing the new version in stages over a few months. In this month, if you let Windows Update automatically download, you will get the old version. But if you manually check for it, you will get the new version. This is possibly the reason for the two offerings.
Q: Regarding MS13-054 for Office 2010 (KB2687276), is this update available to all installations of Office 2010 regardless of operating system it resides on or is it only applicable to only Windows XP and Server 2003? The file specified in the manifest for KB2687276, Ogl.dll, is not found on Windows 7 or 2008 R2 after update installation. Is this file only for specific operating systems or are there files missed in the manifest?
A: OGL.DLL is used when we cannot or do not have GDIPLUS.DLL. Windows 7 and Window 2008 R2 have it. For Office 2010 we use ogl.dll on Windows XP and Windows Server 2003 only, otherwise we use the system gdiplus.
Q: Our windows 7 machines have the “Authenticated Users” group set to modify for NTFS permission on C:. We have not changed anything from the default install. Is Microsoft aware of this?
A: Yes we are aware of Group Policies allowing "Authenticated Users" to have wire permissions on C: In default Windows 7 configuration, authenticated users do not have permissions to write files on root directory. They can create folders under C:.