Microsoft is promising a light load of security updates for next Tuesday’s monthly patch release in an attempt to give Windows administrators and security teams time to prepare for an October change to certificate key length requirements.
Angela Gunn of Microsoft’s Security Response Team announced today that Microsoft expects to release only two bulletins next week, both rated important addressing privilege escalation vulnerabilities in Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2. The bulletins will be released Tuesday at 1 p.m. ET.
September is usually a light month for Microsoft updates and this is no exception, not that Windows managers won’t be busy with the certificate key length changes Microsoft communicated in June. At the start of the summer, Microsoft announced that it will release the requirement changes in its monthly update scheduled for Oct. 9.
As part of the October cycle, Microsoft will release an automatic updater function that will call out any certificates with RSA key lengths shorter than 1024; Microsoft urges customers to upgrade to 2048-bit certificates or higher. The updater will give Microsoft a mechanism to revoke untrusted or forged certificates going forward, in addition to those with the shorter key lengths which will automatically be considered invalid regardless of their trustworthiness. The updater will check daily for information about certificates that are no longer valid and will automatically revoke them; previously, this was a manual process.
“Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories,” Gunn wrote in a MSRC blog post today. “In particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time.”
The impetus for the change stemmed from the discovery that the Flame malware toolkit was using a forged Microsoft certificate to sign malicious files and in some cases impersonate Windows Update. The updater will be available for Windows Vista SP2, Windows 7, Windows Server 2008 SP2 and Windows Server 2008 R2.
Microsoft also announced a list of known issues Windows managers should prepare for in advance of the October updates. Those include:
- Error messages when browsing to sites with certificates with keys less than 1024 bits
- Problems enrolling for certificates when a request attempts to use a key less than 1024 bits
- Difficulty creating or reading S/MIME email messages that utilize a key with less than 1024 bits for signatures or encryption
- Difficulties installing ActiveX controls signed with less than 1024 bit signatures
- Difficulties installing applications signed with less than 1024 bit signatures (those signed before Jan. 1, 2010 will not be blocked by default)
“This update to certificate key length requirements is yet another defense-in-depth measure that will help strengthen the Windows ecosystem,” Gunn said.