Qualys Blog

www.qualys.com
wkandek

September 2012 Patch Tuesday

Today’s Microsoft Patch Tuesday should be a relatively fast event for most IT organizations. Microsoft released two bulletins, both rated "important," and both related to Cross Site Scripting (XSS). MS12-061 affects the development product "Team Foundation Server", and MS12-062 affects the system administration product "System Management Server". These software packages have a limited installed base, so only a small number of organizations need to install this update.

In other security related news, Security Advisory 2661254, which tightens Windows certificate acceptance rules, deserves attention. KB2661254 will go into automatic installmode through Windows Update in October, and IT admins should be aware of the consequences. The patch will change the Windows certificate system, and it will stop accepting certificates that are using RSA keys with fewer than 1024 bits because those keys are considered forgeable. The associated Microsoft Support article explains that the services that are potentially impacted by KB2661254 are web browsing and e-mail. For more background information on the recent Microsoft Certificate changes, look at Microsoft’s reaction to the DigiCert incident and recent events around the Flame malware.

For Internet accessible websites, our research data from the SSL Pulse project indicates that only two of the websites we monitor use a certificate with a short RSA key. End-users who access these sites after the update will see the following warning:

rsa_512_cert_errors.PNG

Microsoft’s newest operating system, Windows 8, already implements these tighter certificate checks, so installing KB26661254 standardizes the certificate treatment across operating system lines. BTW, Microsoft is not alone in outlawing this type of certificate; Google Chrome users will also run into a similar error, which is worded more technically:

rsa_512_cert_errors_chrome2.PNG

We recommend installing KB2661254 on a limited number of internal machines in your organization this month to gather feedback on potential impacts. Your external websites can easily be checked for this type of key by using our SSL Labs tool. For internal sites and other services that use certificates such as mail servers and VPN, we recommend using a scanning tool with SSL support, which all major scanners include, for example Qualys Id: 38171 – Server Public Key too small.

Leave a Reply