March 2014 Security Bulletin Webcast Q&A
Hosts: Andrew Gross, Sr Security Program Manager Pete Voss, Senior Manager, Response
Website: TechNet/Security Chat Topic: March 2014 Security Bulletin Release Date: Wednesday, March 12, 2014
Q1: For MS14-016, is Windows XP affected if ADAM is not installed? A1: Windows XP is only affected when the Active Directory Application Mode (ADAM) option is also installed. This is not installed by default.
Q2: There are multiple packages for some of the platforms listed in MS14-016. Are both needed? Does order of installation matter? A2: If you have ADAM installed on Windows XP 64-bit or Windows Server 2003 versions, you will need to install both KB2923392 and KB3933528 to be fully updated. It does not matter which of these updates is installed first.
Q3: Will there be updates for Windows XP next month? A3: Windows XP and Office 2003 both go out of support next month. We will be provided applicable updates in April for those products if needed.
Q4: Do I need to uninstall the Fix it from the security advisory before applying the MS14-012 update? A4: No, you will not need to uninstall the Fix it provided in Security Advisory 2934088. However, we do recommend uninstalling the Fix it after applying the update. The Fix it does have a slight performance impact on the startup time of IE and is not needed once the update is applied.
Q5: Knowing XP support will cease in April 2014, is there an end date as well for Office 2007 support? A5: Office 2007 will no longer be supported after October 10, 2017. See http://support.microsoft.com/lifecycle for further details.
Q6: For MS14-012, is the attack mitigated by the user’s permission level; or, are you inferring this is not only a remote code execution, but also an elevation of privilege risk? A6: If the remote code execution is successful, the malicious code can only use the same privilege as current users. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. If the current user is logged on with non-administrative rights, an attacker could only perform the actions available to that account.
Q7: What is the difference between normal support and extended support? It seems you are still releasing patches for Windows Server 2003? A7: During mainstream support, updates are provided for both security and non-security issues. Customers can also request feature changes. During extended support, updates for desktop operating systems are only provided for security issues. There are no updates are provided for non-security related issues. For servers, extended hotfix support is available; however, no feature changes cannot be requested. See http://support.microsoft.com/lifecycle.
Q8: We had issues with .Net 4.5.1 breaking systems, is it still going to be pushed? A8: We are not aware of any known issues with .NET Framework 4.5.1. If you are experiencing issues, please contact Microsoft through http://support.microsoft.com.