October 2013

 

October 2013 Security Bulletin Webcast Q&A

Hosts:             Jonathan Ness, Security Development Manager
                        Dustin Childs, Group Manager, Response Communications

Website:         TechNet/Security

Chat Topic:    October 2013 Security Bulletin Release

Date:               Wednesday, October 9, 2013

Q: I saw Microsoft gave away 100K for a mitigation bypass. How is this different from a bug?
A:
A mitigation bypass technique is designed to circumvent protections built into operating systems. The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

Q: Does MS13-087 also impact users of Silverlight in Chrome or Firefox?
A:
Yes. This issue affects the current version of Silverlight regardless of which browser is used. Workarounds for IE, Firefox, and Chrome are all listed in the bulletin.

Q: We are having issues with MS13-084 and SCCM not detecting it?
A:
MS13-084 is an update for SharePoint, and our Automatic Update tools do not allow you to update SharePoint servers that are configured as part of a multi-system SharePoint Farm, which is the most common deployment scenario for this product. Multi-system SharePoint Farms are a very specialized configuration that requires manual servicing. If your system is not part of a farm, then you should open a case with support to understand why this failing.

Q: I have a Windows 7 Enterprise SP1 64-bit PC where the KB2855844 is not flagged for installation by MBSA and the update cannot be installed. Can you explain why?
A:
Windows 7 SP1 Enterprise 64-bit is definitely an affected platform that should get the update. There are a few possible causes for the system not being offered the update. One is that the system might be in a "pending reboot" state, from some previous updating session. You should reboot the system and run MBSA again to see if that resolves the issue. If this doesn't help, you should open a support case with Microsoft. Support resources can be found at SUPPORT.MICRSOFT.COM.

Q: This month’s updates required my Windows 208 servers to reboot twice.  Is this expected behavior?  We have never had a Microsoft update rebooting twice automatically.
A:
This is a known issue that is documented as part of the KB296233 update as part of MS13-081.

Q: The bulletin for MS13-083 says the vulnerability can only be exposed through a vulnerable web application.  The Security Research & Defense blogs says “Victim opens a malicious RTF file with an embedded control in either Word or Wordpad, resulting in potential code execution in the context of the logged-on user.”  Are both correct?  If so, why wasn’t the RTF document vector mentioned in the bulletin?
A:
The Bulletin speaks to the most severe of the identified attack vectors. As such, we called out the web-related vector to best inform and protect our customers against the most likely attack scenario. We provided additional information to address less severe scenarios that make calls to ComCtl32 in our blog on TechNet. We will review the content and clarify, as appropriate, in our Bulletin to ensure consistency.

Q10: Adobe released Flash 11.9 yesterday, but Microsoft did not update MSA 2887505.  Have IE 10 and 11 been updated to Flash 11.9 via bulletin MS13-080?
A10:
Adobe Flash 11.9 does not contain security fixes, so Microsoft did not update Microsoft Security Advisory for Flash Player (2755801). MSA 2755801 will be updated if there is a security release for Adobe Flash. MSA 2887505 and Bulletin MS13-080 only have information about Internet Explorer Vulnerabilities. For more information about Flash Player in Internet Explorer on Windows 8.1 and Windows 8, please see http://support.microsoft.com/kb/2886439.

Q: Our IT Security Team has asked us to deploy bulletin ms13-080 to all our production boxes immediately.  Does it require any testing before deploying to production machines?  What does Microsoft recommend?
A:
We are not aware of any issues with this update that might lead to a disruption of your production environment. That said, Microsoft always recommends testing updates on a system that is representative of your environment prior to deploying them.

Please refer to "Stage 4" of the "Microsoft Security Update Guide, Second Edition" for official guidance around testing of security updates.  

See: http://www.microsoft.com/security/msrc/whatwedo/securityguide.aspx

Q: Regarding MS13-083, does this affect IIS, or does it include any third party websites?
A:
MS13-083 is not a vulnerability in IIS, it is a vulnerability in comctl32.dll, so any first or 3rd party code using these common controls could be affected. In a "web" vector, this would be exposed by a vulnerable ASP.NET application.

Q: Do we need to run the PSCONFIG after applying MS13-084?
A: Yes - as a general rule, any security update that affected SharePoint will require that PSConfig be run after installing the update.

Q: Does EMET mitigate the SharePoint vulnerability?
A: EMET mitigates exploits, not vulnerabilities. If the vulnerability is exploited in a manner that EMET can protect against, then EMET would be a valid mitigation.

Q: I was looking for the MBSA 2.3 Preview. Where can I find it?
A:
MBSA 2.3 Customer Preview has now concluded. The final release will be available fall 2013. MBSA 2.3 release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 will no longer be supported with this release. Additional details can be found at http://technet.microsoft.com/en-us/security/cc184924.