February’s Microsoft Patch Tuesday promises to be a relatively straightforward set of bulletins, but more noteworthy is that it’s the same day Microsoft officially deprecates the MD5 hash algorithm.
Announced last August, Microsoft will officially restrict the use of digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program. The update will be rolled out on Tuesday, but Windows administrators have had six months to download and test the update as to whether it would impact other areas of a company’s respective infrastructure.
Microsoft said in August that the change applies only to certificates used for server authentication, code signing and time stamping. Microsoft also said it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.
The general recommendation is that companies move to a stronger algorithm such as SHA2 or better. MD5—and SHA1—have been broken for some time. Weaknesses in MD5 go back to the mid-1990s and collisions were identified in 2005.
As for Tuesday’s security bulletins, two of the five are rated critical by Microsoft because they are remote-code execution bugs in Windows and Microsoft security software. The other three bulletins are rated important and resolve privilege escalation, information disclosure and denial-of-service flaws in Windows and .NET.
The critical Windows bulletin affects Windows 7, Windows Server 2008 R2, Windows 8 and 8.1., Windows Server 2012 and 2012 R2, as well as Windows RT and RT 8.1. The other critical bulletin affects Microsoft Forefront Protection 2010 for Exchange Server.
“Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month. The second is, not surprisingly, the critical in Windows 7 and later,” said Ross Barrett, senior manager of security engineering at Rapid7. “The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege. Not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”
Tyler Reguly, manager of security research at Tripwire, said the Forefront bug is worth watching.
“While I wouldn’t expect the software to have a huge user base, vulnerabilities affecting email security can be particularly dangerous especially when you consider the current number for phishing and email malware attacks,” Reguly said.
Two of the important-rated bulletins affect Windows all the way back to XP; the other affects Windows 8 and later. Windows XP support ends April 8.
What’s missing this month is a cumulative rollup for Internet Explorer, the first time in close to a year that Microsoft has not issued patches for its browser.
“This month is a very Windows-centric month and, once again, there’s no IE patch in sight,” said Tripwire’s Reguly. “Given the frequency of browser vulnerabilities and how often they are patched, the length of time we’ve gone without an IE patch is rather worrisome.”
