Microsoft will be restricting Windows certificate acceptance rules next month and security experts indicate that since September has few software updates, security teams should prepare for the changes.
The patch will change the Windows certificate system, and it will stop accepting certificates that are using RSA keys with fewer than 1024 bits.
Wofgang Kandek, CTO, Qualys Inc.
Microsoft addressed flaws in the Visual Studio Team Foundation Server and the System Center Configuration Manager in its September 2012 Patch Tuesday. The software giant issued two bulletins, both rated important and with no restart required. There were no critical bulletins this month.
Wolfgang Kandek, chief technology officer at Redwood City, Calif.-based Qualys Inc., said that the software addressed in this month's update is not wildly installed on many computers. Kandek said that the key length change should be the area of focus this month.
"The patch will change the Windows certificate system, and it will stop accepting certificates that are using RSA keys with fewer than 1024 bits because those keys are considered forgeable," Kandek said in the company's Laws of Vulnerabilities blog.
In the October 2012 round of updates, Security Advisory 2661254 will become mandatory and RSA keys smaller than 1024 bits will no longer work with Microsoft products. Microsoft made the move to address weaknesses that were exposed by the Flame malware toolkit. It exploited the weak encryption algorithm to create fraudulent Microsoft certificates to spoof the Windows Update mechanism on Windows systems. Researchers have been dissecting Flame and its various components since it was detected on Windows systems in Iran and other countries in the Middle East and North Africa.
Users are encouraged to download the patch now to test it on their systems, wrote Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing.
If communication breaks in an email or on a webpage after the patch is installed, it can be uninstalled while users address the issues and update the faulty certificates, said Paul Henry, forensics and security expert at Scottsdale, Ariz.-based Lumension Security, Inc. Once the bit requirement changes in October, this will not be possible, so it is important to fix any possible issues now, Henry said.
Microsoft said the two September bulletins address issues that can be exploited by attackers by convincing users to take click on a malicious link or visit a website hosting attack code.
Bulletin MS12-061 resolves an issue in the Visual Studio Team Foundation Server. It could allow elevation of privilege if a user visits a webpage or clicks on a link in an email message from an attacker. Bulletin MS12-062 addresses a vulnerability in the System Center Configuration Manager. It could allow elevation of privilege if a user visits an affected website through a malicious URL.
Attackers usually entice users with links in email messages or Instant Messenger messages that take them to the intended webpage. Both bulletins patch cross-site scripting vulnerabilities. Neither issue has been discovered in the wild.
Software affected by the patches include Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2.