Qualys Blog

www.qualys.com
wkandek

September 2012 Patch Tuesday Preview

Update
Bulletin 1 is for Team Foundation Server not Foxpro as originally stated

Original
Patch Tuesday for September shapes up to be a quiet month. There will be two bulletins next Tuesday, both rated "Important", affecting Microsoft Foundation Server and Microsoft System Management Server. If you have these products deployed you should be on alert to evaluate the impact of the vulnerabilities in your infrastructure. But for most IT shops, this will be a slow month, providing a great opportunity to work on normal infrastructure improvements and maybe take another look at Security Advisory 2661254 (KB2661254), which will go into automatic install mode in October.

KB2661254 is part of a Microsoft Certificate Review project that was triggered initially by the DigiCert incident and then accelerated by the discovery that the Flame malware was signed by a legitimate Microsoft certificate. Microsoft first revoked the Certificate Authorities used in a mandatory update, and then reengineered the Windows Update process to use additional security and integrity measures. KB2661254 is another step in hardening the overall Windows certificate infrastructure; it will consider any certificate signed with an RSA key having a length of less than 1024 bits as invalid. RSA key lengths of under 1024 bits have been broken in the past and are considered to be forgeable. Best practices for key-length are currently at 2048 bits.

If you still have time left, consider spending time on your strategy for implementing IPv6, which should include both planning and lab time.

Leave a Reply