ID: IRCNE2012091610
Date: 2012-09-08
According to “Computerworld”, Microsoft said it will issue two security updates next week for its Visual Studio development platform and its System Center Configuration Manager, the company's enterprise patch and software distribution console.
The light month -- in August, for instance, Microsoft shipped nine updates -- will give IT admins time to prepare for an October update that invalidates all certificates with keys less than 1,024 bits long.
Microsoft first told users that it was going to disable all digital certificate keys shorter than 1,024 bits in June, saying then that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update last month, but made it an optional download. On Oct. 9, next month's Patch Tuesday, Microsoft will add the update to the Windows Update stream, effectively pushing it to everyone.
Companies can, of course, delay the October update using patch management software, such as Windows Server Update Service (WSUS).
Andrew Storms, director of security operations at nCircle Security, echoed Microsoft's advice to use the breathing room of this month's light patch schedule to prepare for the October key-length update. Storms posted an entry on nCircle's blog today that included links to several articles and support documents on Microsoft's site that explain the key invalidation update scheduled for next month.
"For most IT shops, this will be a slow month, providing a great opportunity to...take another look at Security Advisory 2661254 (KB2661254), which will go into automatic-install mode in October," said Wolfgang Kandek, CTO of Qualys, in an email, referring to the key-length deprecation.
The October update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, the sophisticated espionage tool discovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It managed to spoof Windows Update, Microsoft's update service, to infect completely-patched Windows PCs.
Microsoft reacted by killing off some of its own certificates and beefing up Windows Update's security.
During its investigation into Flame, Microsoft decided to harden the Windows certificate infrastructure. The result was its decision to block access to certificates with keys shorter than 1,024 bits.
Next week's update, while light, was still interesting to Storms, who noted that Patch Tuesday will not fix any flaws in Internet Explorer (IE), making this the first month in the last four to omit the browser.
Microsoft will release the two updates at approximately 1 p.m. ET on Sept. 11.
- 3