There are only two security bulletins planned for September’s security update, and they are both rated important rather than critical. The first is for Visual FoxPro, a set of tools for 32-bit database development and management. The second relates to System Center Configuration Manager. Neither of these products are visible from the outside, so an attacker would already need a foothold in order to leverage them. They are both described as privilege elevation vulnerabilities, and neither will require a reboot after implementation – so September’s security update should be relatively painless.
However, Microsoft has issued a separate reminder that next month’s October 9 update will include advisory 2661254, an update requiring certificates to be signed with a minimum 1024-bit RSA key. “KB2661254 is part of a Microsoft Certificate Review project,” explains Wolfgang Kandek, CTO at Qualys, “that was triggered initially by the DigiCert incident and then accelerated by the discovery that the Flame malware was signed by a legitimate Microsoft certificate.”
Microsoft is suggesting that its customers use the quiet September to ensure they are ready for October. “Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time,” said Trustworthy Computing’s Angela Gunn yesterday.
Since RSA keys of less than 1024 bits have been broken in the past, Microsoft is now requiring a 1024-bit minimum. “KB2661254 is another step in hardening the overall Windows certificate infrastructure,” explains Kandek. “It will consider any certificate signed with an RSA key having a length of less than 1024 bits as invalid.”
“1024 should, by the way,” adds Microsoft, “be considered a minimum length; the most up-to-date security practices recommend 2048 bits or even better.”