Page 2 of 2
While the September Patch Tuesday is being characterized as a "walk in the park," the upcoming October counterpart is likely to be a completely different story.
"Next month, Microsoft intends to introduce a change in their certificate strategy that they have been planning since the June timeframe when the Flame malware was abusing Microsoft certificates," said Kandek. "Microsoft fixed that, but then went on to a larger-scale audit of what the potential exposures might be. So they will be moving towards certificates with longer keys because the shorter ones are much easier to forge. So, we can expect that anything with less than 1,024 bits is not likely to be seen as secure communication anymore and will be subject to upgrade. Best practices for key-length are currently at 2,048 bits."
Failure to comply could lead to increased error messages, problems with enrolling certificates, difficulties with S/MIME messages and complications installing Active X controls.
Meanwhile, a separate vulnerability continues to be watched closely. A pair of issues with Java 7 was apparently patched by Oracle, but at least one research organization has discovered new vulnerabilities that seem to have emerged as a result of the patch, itself. At this point, there is no word on whether Oracle intends to issue new patches, although the most recent one was made available without pre-announcement.
"The problem with Java is that it's extremely prevalent, and you can trick it into running by persuading someone to visit a particular Web page," said Horan. "You have to work with the principle that there is always a vulnerability in those third-party packages and not rely on the vendors to keep them patched. You should have something to contain any compromise as soon as it happens."