March 2013 Security Bulletin Webcast Q&A
Hosts: Andrew Gross, Senior Security Program Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: March 2013 Security Bulletin Release Date: Wednesday, March 13, 2013
Q: Does the IE bulletin (MS13-021) address the issues used to take down IE10 in Pwn2Own?
A: Microsoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition’s findings.
Q: For MS13-021, does EMET help mitigate attacks that try to exploit these vulnerabilities?
A: Yes. The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of these vulnerabilities by adding additional protection layers that make the vulnerabilities harder to exploit. EMET is a utility that helps prevent vulnerabilities in software from being successfully exploited for code execution, by applying the latest security mitigation technologies. For more information, see Microsoft Knowledge Base Article 2458544.
Q: Could the vulnerability which MS13-023 addresses apply to client systems with a full version of Visio installed? (Following up anticipated answer of “no”: Even if the Default Program setting for Visio files is Internet Explorer)?
A: The update does apply to machines with the full version of Visio. Please see bulletin Affected Software table.
Q: Can you explain to me what Microsoft Search Server is for, what products it comes with and whether it is necessary?
A: Microsoft Search Server is a feature as part of SharePoint 2010 and is fixed as part of MS12-024.
Q: Regarding MS13-024 (WASRV), is the Web Analytics feature installed with SharePoint 2010 by default? Is the update for the feature available from Windows Update or from the Download Center only?
A: No, this is not installed by default. It depends on the SKU and the install type. Web Analytics is an enterprise SKU feature and requires you to set up the WA service application for it to work. This doesn’t happen unless you’re using a “single-click” install. The update is available for both Microsoft Update and DLC.
Q: Regarding MS13-024, how would an attacker take advantage of these vulnerabilities?
A: These are the possible attack vectors outlined in the bulletin: An attacker must input a specially crafted URL to a system running an affected version of SharePoint Server (CVE-2013-0080, CVE-2013-0084, CVE-2013-0085). A user must visit a specially crafted page usually only available to SharePoint administrators (CVE-2013-0083).
Q: When clicking on the Microsoft SharePoint Server 2010 Service Pack 1 link from the bulletin, it takes me to a page for Security Update for Microsoft Search Server 2010 (KB2553407) instead of MS13-024: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176). Is the link pointing to the wrong download page?
A: The download link is correct. KB2780176 is the master KB article for bulletin MS13-024, but the individual updates each have their own package KB article. The package KB Article for SharePoint Server 2010 SP1 is KB2553407, so this is the correct download center reference. Also of note, the package KB for SharePoint Foundation 2010 SP1 is KB2687418.
Q: What is it about SharePoint related patches (e.g., MS13-024 this month and MS13-013 last month) that make them uninstallable?
A: Due to schema changes, database changes, registry key changes, etc. we do not allow SharePoint updates to be uninstalled. Enabling them to be uninstalled could be destabilizing to the SharePoint installation.
Q: What is the Microsoft Filter Pack? If it’s the same as the Outlook Spam Filter, why is it separated? (MS13-026)
A: The Filter Pack is not the same as the Outlook Spam Filter. The Filter Pack is a component that allows search services to index content of specific file types, letting you search for content in those files.
Q: Regarding MS13-027, does disabling Autorun prevent this attack?
A: Disabling Autorun would not prevent this type of attack as the issue addressed by this update occurs prior to Autorun settings being processed by a system. We encourage customers to apply the update to ensure they are protected against this issue.
Q: Regarding MS13-027, I have disabled USB devices through group policy, am I protected from this issue?
A: The issue addressed by this update occurs prior to group policy settings being processed by a system. The best way to protect against this issue is to apply the related security update.
Q: Regarding MS13-027, what about the PCoIP technology (PC over IP) with USB access enabled?
A: Technology that passes through low-level device enumeration may allow for exploitation of memory corruption vulnerabilities in USB device enumeration (like MS13-027).
Q: Regarding MS13-027, could a terminal services user, or a VDI user with valid user credentials, remote the malicious device to exceed their privilege level?
A: In a default scenario, Terminal Services and the Remote Desktop Protocol do not pass-through low-level device enumeration and are not affected by MS13-027. Please refer to the SRD blog for further information.
Q: Regarding MS13-027, will blocking USB ports (using a 3rd party vendor) fully mitigate the risks imposed by this vulnerability while the patch is tested?
A: Third party software that disables the specific RNDIS drivers that are affected in this bulletin, in the manner described in the "mitigations & workarounds" section of the bulletin, would mitigate risks imposed by this vulnerability.
Q: Why doesn't MS13-027 address FireWire devices and drivers that might cause a similar exploit when connected?
A: MS13-027 addresses a memory corruption vulnerability in Kernel that if exploited could allow for execution of arbitrary code in the context of the Kernel without a requirement for a user to be logged in or have a valid session (un-authenticated) which differentiates it from other physical access vectors.
Q: Live messenger is being retired for Skype; will Skype be supported by MU, the MSRC and MBSA scanning tool?
A: There are no plans to service Skype with MU and MBSA. We will continue to work with Skype on security issues reported to MSRC. A full listing of currently supported products for the MBSA can be found on the MBSA Security TechCenter.
Q: Any update on MBSA support or a replacement tool for Windows 8?
A: Not at this time.
Q: How do I stop the automatic updates reboot, since I don't want it to unless I tell it to?
A: You can use the “/norestart” flag when installing updates to suppress a restart until a later time. For a full list of available installation switches, see KB832475.
Q: Why doesn’t Dustin use a Surface?
A: He gave it to his Uncle Buck.