Microsoft Patch Tuesday: Light September, Prep For October's Certificate Policy Change


September's Microsoft Patch Tuesday has only two bulletins, suggesting that channel partners and IT administrators are coincidentally getting an easy month in advance of an important shift in Microsoft's certificate policy, which is likely to require far more attention in October.

The first bulletin is designed to address a vulnerability in Visual Studio Team Foundation Server that could allow elevation of privilege if a user is persuaded to click a link to a malicious website. In all cases, however, an attacker would have no way to force users to perform these actions.

The second bulletin focuses on a potential elevation of privilege attack against System Center Configuration Manager, which would be conducted in the same manner.

[Related: Channel@Work: Microsoft Teen Center Makeover]

"Both of these bulletins affect software that is not widely deployed across most networks," said Jason Miller, manager of research and development at VMware. "Administrators should know where these are on their networks, which will make it fairly easy to patch. Both are very much similar vulnerabilities involving cross-site scripting. So the attacks would be pretty limited and pretty targeted."

Cross-site scripting (XSS) is a type of browser attack that injects client-side scripts into Web pages that are intended to be viewed by the targeted individuals. The objective is usually to bypass access controls or make similar changes to policy.

Both vulnerabilities are listed as important, but not critical, leading to speculation that some administrators may leave the patches on the back burner indefinitely.

"A lot of people probably aren't even done with last month's patches anyway," said Andrew Storms director of security operations at nCircle. "It usually takes a month and a half to two months for most enterprises to deploy the patches across the full enterprise. So now they can focus on how to catch up from last month, and get their hands around certificate changes forthcoming in October."

At issue is a change in Microsoft's certificate policy that invalidates any certificate with 1,024 bits or less.

"This all started off with the Flame virus, which stole the Microsoft certificates and used them on a piece of malware," explained Miller. "So Microsoft has been taking a deeper look at certificates, and decided that any certificate that is less than 1,024 bits in length will get invalidated. This can cause issues in the program itself, and might actually stop working. So you need to identify if you have any of these certificates, determine their location and then plan accordingly. If you had to, you could remove that security update until you work out the final details."

Added Storms, "It's in the download center today and will get pushed through the Windows update channel in October. At that point, all the systems that take the update will start acting on that new logic."

Channel partners and IT administrators are urged to begin a checklist for addressing the certificate policy changes as soon as possible.

PUBLISHED SEPT. 11, 2012