May 2013 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager
Dustin Childs, Group Manager, Response Communications
Chat Topic: May 2013 Security Bulletin Release Date: Wednesday, May 15, 2013
Q: Why weren’t the two IE bulletins combined into one bulletin?
A: MS13-037 is a cumulative security update that resolves 11 vulnerabilities in Internet Explorer. MS13-038 is a security update that permanently addresses the Internet Explorer 8 issue described in Security Advisory 2847140.
Q: Do I need to install MS13-037, the May 2013 cumulative security update for Internet Explorer, before installing MS13-038?
A: MS13-038 protects customers from the vulnerability discussed in this bulletin; however, customers should first install MS13-037, the cumulative security update for Internet Explorer, to avoid potential compatibility issues.
Q: Why is Microsoft not releasing a Security Bulletin to address the vulnerability in Security Advisory 2846338?
A: On background: As Microsoft automatically updates malware definitions and the Microsoft Malware ProtectionEngine on a regular basis, there is no further action for Microsoft customers.
Q: Regarding Security Advisory 2846338, if this vulnerability was already public, why did Microsoft wait until the bulletin release to address the issue?
A: The vulnerability that was made public was related to a Denial of Service (DoS) attack. It was not publicly known that the attack could also be used for remote code execution, nor have we seen any indication that this vulnerability had been used to compromise customers.
Q: Does the Fix-it from Security Advisory 2847140 need to be removed prior to (or after) the MS13-038 patch install or does the patch completely overwrite the changes made by the Fix-it?
A: We recommend that customer who have deployed the Fix-it solution, remove it once they have installedMS13-038.
Q: A couple of weeks ago, there was a zero-day bug notice for IE8, is that addressed here and the patches provided yesterday? If so, which KB addresses this?
A: CVE-2013-1347 is addressed in the MS13-038 update released on May 14, 2013. Please refer to KBArticle 2847204.
Q: Does MS13-038 address both the Remote Code Execution and Privilege Escalation concerns?
A: M13-038 addresses the Remote Code Execution vulnerability identified as CVE-2013-1347.
Q: Regarding MS13-046 for both KB Articles 2830290 and 2829361, does this apply to Windows 7 and Windows R2 RTM? The bulletin indicates support for SP1 with no mention of RTM versions. RTM is not listed in the “Non-Affected Software” section.
A: Windows 7 RTM and Windows Server 2008 R2 RTM reached the end of support on April 9, 2013. Because these RTM versions are no longer being supported, they will not be listed in the “Affected/Non-Affected” sections of security bulletins and associated KB Articles going forward. For more information on product lifecycle, visit http://support.microsoft.com/lifecycle.
Q: Are the patches being released this month (MS13-038) cumulative of patches that were recalled or re-released last month?
A: We are not re-releasing additional bulletins this month. The only re-release is Security Advisory 2755801 Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10, and this is being done to provide the latest Adobe Flash updates for Windows 8, Windows RT and Windows Server 2012.
Q: For future exploits of IE8, can EMET help to protect IE on Windows Server 2003?
A: Yes. EMET can help to protect IE on Windows Server 2003.
Q: In MS13-044, does this vulnerability affect other versions of Visio Viewer as well?
A: For MS13-044, Visio Viewer is not affected by this vulnerability.
Q: Does MS13-044 allow wildcards to be used in the path for the info disclosure (i.e., c:\path\*.*)?
A: Wildcards cannot be used in the path for a Visio Info Disclosure attack. An attacker has to specify the correct file path and file name.
Q: Regarding MS13-037 and MS13-038, they are both rated as Moderate or Windows Server OS’s. Is this rating of Moderate based solely on the fact these OS’s have “Enhanced Security Configuration” on by default? If so, what would the rating be if Enhanced Security Configuration was not enabled?
A: Affected Microsoft Server Operating Systems ship with Enhanced Security Configuration enabled by default. Due to this default setting, the severity for the Server SKU’s is Moderate. We do not recommend disabling the feature.