Microsoft gives users a patch break, and time to prep for certificate slaying

Use the light Patch Tuesday to get ahead of key invalidation update slated for October, say experts

By , Computerworld |  Security, Microsoft

Marcus Carey, a security researcher at Rapid7, agreed. "The light patch month in September will allow organizations to prepare for this, which is great as it has the potential to break things if applications are still using outdated certificates," said Carey, also in an email. "It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."

That's certainly possible, said Storms. "They could have made an administrative decision to delay other updates to give enterprises time [to work on their certificates]," he said.

Microsoft used that same tactic in March 2007, said Storms, when it issued no security bulletins because it wanted to give customers time to apply a Daylights Saving Time update to Windows that had been prompted by widespread changes in the U.S.

Next week's slate will be smaller than in past Septembers, Storms noted: In 2011, Microsoft shipped five updates that month, while in 2010 and 2009, the company issued 10 and five, respectively.

The October update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, the sophisticated espionage tool discovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It managed to spoof Windows Update, Microsoft's update service, to infect completely-patched Windows PCs.

Microsoft reacted by killing off some of its own certificates and beefing up Windows Update's security.

During its investigation into Flame, Microsoft decided to harden the Windows certificate infrastructure. The result was its decision to block access to certificates with keys shorter than 1,024 bits.

"I'd bet that they always wanted to do this," said Storm, "but historically, Microsoft wants to support all their customers, even those with much older systems that rely on shorter keys. Because of Flame, they had a good reason to make this move."

Next week's update, while light, was still interesting to Storms, who noted that Patch Tuesday will not fix any flaws in Internet Explorer (IE), making this the first month in the last four to omit the browser.

In July, Microsoft announced it was ditching IE's every-other-month schedule, and would ship patches when they were ready.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question