May 2014 Security Bulletin Webcast Q&A
Hosts: Jonathan Ness, Security Development Manager Dustin Childs, Group Manager, Response Communications
Website: TechNet/Security Chat Topic: May 2014 Security Bulletin Release Date: Wednesday, May 14, 2014
Q1: Why is the credentials security advisory instead of a security bulletin? A1: This update does not resolve a security vulnerability. Instead, it provides an update that improves the overall security of your system. Microsoft recommends that customers download and deploy it in their environments as soon as possible.
Q2: For MS14-025, do I need to take any additional actions besides applying the update? A2: This update does not remove existing Group Policy Objects (GPOs) configured prior to applying the security update. Customers with existing GPOs using the listed Group Policy preferences should manually remove them to ensure this issue is fully addressed.
Q3: If Windows Storage Server 2008 is affected, why isn’t there a fix available? A3: The architecture to properly support the fix provided in the update does not exist on Windows Storage Server 2008 systems, making it infeasible to build the fix for Windows Storage Server 2008. We recommend that you limit the attack surface from untrusted networks by placing iSCSI on its own isolated network, separate from any network on which internet traffic flows. For more detail on how to set up iSCSI securely, see Installing and Configuring Microsoft iSCSI Initiator.
Q4: I do not see the same CVE in MS14-029 that I do in MS14-021. How can 029 be a replacement? A4: The CVE IDs are called out in the bulletin that addresses the issues. When the new bulletin is available, the CVE in the previous bulletin is not called out again. For example: MS14-018 replaces MS14-012, but the CVEs from the replaced update will not be listed again.
Q5: MS14-021 is showing up as compliant in SCCM without a reboot. Is it possible that this hotfix can be deployed without a reboot if IE is not in use? A5: If IE is not in use, this security update can be deployed without a reboot. If IE is in use, the installer will prompt a reboot.
Q6: FAQ for MS14-029 states that this update can be installed before or after the update for MS14-018. Can both be installed together, that is without a reboot in-between? A6: Yes, MS14-029 and MS14-018 can be installed together without a reboot in-between. We strongly recommend a reboot after both the updates are applied to avoid any caching issues of the installer.
Q7: Is the IE critical update in the May release related to IE zero day that was released recently?A7: The MS14-029 bulletin addresses a zero day attack that was not publicly known, titled CVE-2014-1815. The update also includes the fix from MS14-021, the out-of-band update that addresses CVE-2014-1776 which was released out-of-band on May 1, 2014.
Q8: MS14-025 seems to be an update only to the RSAT tools. This update doesn't change the GP preferences themselves just the tools to edit them. So if I leave one station un-updated I'll still be able to edit these Group Policy Preference passwords until we've completely removed them from our environment. Is that correct? A8: Yes, MS14-025 updates the tools that are used to create the Group Policy Preferences such as the Remote Server Administration Tools, which can be downloaded from the Download Center or Group Policy Manager which is built into server SKUs. If a workstation is not updated, you will still be able to create a group policy preference that is vulnerable to the attack described in MS14-025. To help administrators find existing group policy preferences already deployed in their environment we have published some scripts in KB 2962486. We recommend customers take a look at that to help them find and remove existing Group Policy Preferences.
Q9: MS14-022 is about critical vulnerabilities with an Exploitability Index rating of 1. Why is it a Deployment Priority of 2? Can you explain how Microsoft does rates its Deployment Priorities? A9: The bulletin severity, Critical in this case, evaluates the worst theoretical outcome from a vulnerability and does not consider exploitability. The exploitability index (XI) looks at how easily an attacker could craft exploit code if they chose to try. The deployment priority (DP) takes those into consideration, but also includes how attractive a target is, how common an exploit type is, and whether there are any active attacks. For this month, there were two issues with known active attacks that are more attractive to attackers than this SharePoint issue.
Q10: Can any authenticated user ID be used to exploit the vulnerability addressed in MS14-022? Or only a user ID that has some level of update on a SharePoint site? A10: This is a cross-site scripting vulnerability, so whatever code being injected through the vulnerability would run in the context of the current user. Users with more permissions would be more capable of causing harm if attacked through this vulnerability.
Q11: Can you verify MS14-022 is only a vulnerability if the attacker has contributor rights in SharePoint? A11: This is a generic cross-site scripting vulnerability. Client-side code may be injected into the page via the query string and run in the context of the logged in user. Even a reader would have permissions to do things to their own profile and this vulnerability would allow an attacker to do so. With more permissions comes more surface area that could be touched by an attacker, however less contributor permissions would likely not have significant ability to break anything for other users.
Q12: The file manifest for IE bulletin MS14-029, KB2953522, seems to be missing some sections. A12: We are aware of the missing sections for manifests and we have updated the security bulletin, and we will update the KB article with the manifest shortly today.
Q13: We noticed today that MBSA version 2.2 didn't report back that some machines needed MS14-025 when we used the "Advance Update Services Options" = "Scan using Microsoft Update Only" but it shows as required when we scan offline. Our SCCM scans find these machines need MS14-025. Why are we seeing this behavior in MBSA? A13: It is unusual for MBSA to report different results for the same systems when used in "offline" mode verses “Scan using Microsoft Update only”. Troubleshooting this would involve checking the offline scan file Wsusscn2.cab to make sure it is current, or it may possibly have gotten corrupt. However, one thing to note is that there is a newer version of MBSA that you should consider using. Among the benefits of MBSA version 2.3: this version support for the newer operating systems including Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. For full details, visit http://www.microsoft.com/mbsa.
Q14: For MS14-026, are all .NET installations vulnerable, even if no .NET applications are installed? Are all .NET installations eligible to receive the update? A14: Only systems that have a .Net application that actively uses .Net Remoting are vulnerable to this CVE. All affected versions of .NET Framework on all affected platforms will receive the update.
Q15: For the UEFI advisory, can you specify which backup vendor is impacted? A15: The revocation of the non-compliant UEFI restore module was managed in close cooperation with the third-party author. Prior to Microsoft's release of this revocation, the third-party author confirmed that they had successfully deployed updated, compliant modules to affected customers. Microsoft encourages all affected customers to apply this update.
Q16: Can you please talk about MS14-021 IE OOB update? A16: The thing to know about MS14-021 (IE OOB) is that it is replaced by the MS14-029. So if you plan on installing MS14-029 for Internet Explorer, you do not need to plan to install MS14-021. You will be covered. Finally, remember that MS14-029, like MS14-021, does have the previous IE Cumulative Update (MS14-018) as a prerequisite. The MS14-018 does need to be installed prior to installing either of the subsequent IE security updates.
Q17: Can you confirm KB2919355 deadline has been moved to the June 2014 bulletin release? A17: While the majority of Windows 8.1 customers have installed the Windows 8.1 Update, not all have. It’s important to us that our customers are running the latest updates, and we’re committed to helping ensure their safety. As a result, we’ve decided to extend the requirement for consumers to update their devices to the Windows 8.1 Update another 30 days to June 10th. As noted previously, consumer customers who do not update their Windows 8.1 devices to the Windows 8.1 Update by this new deadline will no longer receive updates. We’re confident that within the next month, the majority of the remaining customers who haven’t updated their devices to the Windows 8.1 Update will be able to do so.