November 2013


November 2013 Security Bulletin Release Webcast Q&A


Hosts:            Jonathan Ness, Security Development Manager

                       Pete Voss, Senior Communications Manager, Response Communications

Website:        TechNet/Security

Chat Topic:    November 2013 Security Bulletin Release
Wednesday, November 13, 2013


Q: Does the IE update (MS13-088) address the IE zero-day advisory that was announced last week?

A: Microsoft did not release any zero-day advisories last week.  The IE Cumulative Update, MS13-088, does not address any IE vulnerability being exploited in the wild. MS13-090 does address an ActiveX vulnerability which was found exploited in the wild.


Q: Regarding MS13-088, your slide lists affected products as “IE6 through IE11 on all supported versions of Windows Client.”  The bulletin states IE11 on Windows 7 (32-bit & 64-bit) is unaffected. Which is correct?

A: The affected products for MS13-088 are IE6 through IE11 for all versions of Windows Client except IE11 on Windows 7, which was fixed as part of the RTM prior to the bulletins. The slide has been updated to reflect this.


Q: Does update MS13-090 contain Kill Bits that were previously released in an Internet Explorer update?

A: No. This update does not include Kill Bits that were previously released in an Internet Explorer security update. We recommend that you install the latest Cumulative Security Update for Internet Explorer (MS13-088).


Q: Are there active attacks against the vulnerability in MS13-090?

A: Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability.


Q: Does update MS13-090 address the recent IE zero-day?

A: Yes. Customers with automatic updates enabled are protected from this issue and do not need to take any action.


Q: Regarding MS13-091, is Word Perfect converter a default installed component or can it be optionally selected?  If it does not need to be installed, is it still vulnerable?

A: The Word Perfect converter is not installed by default.  If the component is not installed, one could not execute the vulnerable code.  However, Microsoft recommends applying the update – when a customer attempts to open a document, they’ll receive a prompt inside of Word to apply the converter. 


Q: Regarding Microsoft Security Advisory 2862152, is this advisory related to articles from Microsoft about SH1 and RC4?

A: No. Security Advisory 2862152 is the DirectAccess advisory that does not relate to the cryptographic advisories or articles.


Q: Have we received a final fix for the TIFF (GDI+) vulnerability from last week?

A: The security fix for TIFF (GDI+) is addressed in Microsoft Security Advisory 2896666; an update is planned at a future date.  We recommend customers install the Fix it to protect them from any active exploit of the vulnerability.


Q: Regarding the TIFF registry change (Fix it) in Microsoft Security Advisory 2896666, can you explain how this will affect TIFF usage?  I have multiple applications in the environment with TIFF files and there is a concern that this will be affected.  Can you elaborate a little more on this please?

A: TIFF images will be blocked on the affected software and platforms listed in the advisory.


Q: We still have MD5 512 certs in our environment.  Will the 2880823 and 2854544 Security Advisories affect our servers?

A: Microsoft recommends that customers use the SHA-2 hashing algorithm and 2048-bit RSA for robust digital signatures.


Q: Last month’s bulletin MS13-081 (KB 2862330) has been causing a number of BSODs. Is a fix coming for that patch?

A: The Bulletin and associated KB Article noted that some 3rd party drivers (particularly USB drivers) might need to be updated for compatibility.  If you are encountering issues, the first thing to check is the updated drivers for your system. After that, if you still encounter problems with this update, please open a support case with Microsoft.


Q: Any suggestions for deploying strategies for EMET? Microsoft SCCM?

A: EMET can be easily deployed using SCCM.  Read the SCCM blog, Deploying and configuring the Enhanced Mitigation Experience Toolkit (EMET) 3.0 with System Center Configuration Manager, which is the first link found by searching Bing for “EMET SCCM.”


Q: Can you explain the difference between an advisory and a bulletin? 

A: Microsoft Security Bulletins provide information and guidance about updates that are available to address software vulnerabilities that may exist in Microsoft products. With each security bulletin that is released, there is an associated software update available for the affected product.

Microsoft Security Advisories are meant to give customers detailed information and guidance on a variety of security-related issues that may not be specifically tied to a software update. For example, an advisory may detail Microsoft software updates that might not address a security vulnerability in the software, but that may introduce changes to the behavior of the product or that introduce new functionality designed to help protect customers from attack.


Q: If the security updates patch the vulnerability, is it important to also employ the mitigation steps?

A: Some patches are installed but not enabled. Until a patch is applied and configured (if needed), a mitigation is needed.