Security: September 2012 Microsoft Patch Tuesday
This month Microsoft is issuing two patches listed as important. The affect certificates used to verify updates and access to Microsoft websites.
It was reported that one or more viruses/malware was distributed with fake Microsoft certificates. As such, Microsoft issued a partial patch last month. The second phase will be released this month, and the final installment will be released in October.
More Detail: KB2661254 is part of a Microsoft Certificate Review project that was triggered initially by the DigiCert incident and then accelerated by the discovery that the Flame malware was signed by a legitimate Microsoft certificate. Microsoft first revoked the Certificate Authorities used in a mandatory update, and then reengineered the Windows Update process to use additional security and integrity measures. KB2661254 is another step in hardening the overall Windows certificate infrastructure; it will consider any certificate signed with an RSA key having a length of less than 1024 bits as invalid. RSA key lengths of under 1024 bits have been broken in the past and are considered to be forgeable. Best practices for key-length are currently at 2048 bits.
Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Microsoft is making this patch a mandatory update. However, the update is also available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, Microsoft is planning to release this update through Microsoft Update in October, 2012 after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.
The other update impacts Microsoft FoxPro Database and Microsoft Management Server (very few people use those products).
In addition, Microsoft is also providing a new Malicious Update too.
Bottom line: Be sure to leave your computers and servers turned on Wednesday Night, and restart them Thursday morning.
Many thanks and have a great week,
- Printer-friendly version
- Log in to post comments
- 3217 reads