SpiderLabs Blog

Microsoft Patch Tuesday September 2012 – Update those Certs!

Written by | Sep 11, 2012 8:32:00 AM

As we mentioned last week there are only two patches this month! Not to mention they are only rated 'Important' and not 'Critical' which is great since it means less work for all of us but that doesn't mean you shouldn't apply them if needed. So few patches means you can focus more on the optional (this month) non-security update (KB2661254). This update was first released last month but just about everyone ignored it then. KB2661254 will require users to employ certificates with an RSA key length of at least 1024 bits. Which for most of us shouldn't be that big of a deal as you really should be already using 1024 bit certs as a minimum by now anyway. But there are at least1% of you out there, according to the 2012 Trustwave Global Security Report that are still 1using 512-bitcertificates! While you are in the process of updating those old certs, and you have all this extra time this month from only needing to apply two patches, you might as well update your 1024 bit certs to a even more robust 2048 bits, 4096bits or higher.

There has been a lot of nasty malware out lately using spoofed certs, like the recent Flame malware. So while you have a little extra time this month root around in the back of your IT closet for that old server that never gets touched because "it just works" you know the one, the one you avoid, the one in the corner that the other department is protective about, the one that lives under that one guys desk, yeah that one. Go update it. If you are still using IIS 5 and 6 and not using Certificate Revocation Lists now would be a good time enable that feature, it is on by default in IIS 7.

Be warned though that updating key lengths might cause some error messages and will definitely require a reboot. Just because updating your key lengths is optional this month doesn't mean you should ignore it or put it off any longer than you need to because next month it will be required and stuff will start breaking if you don't have this update. Things like Internet Explorer tossing up error messages to your visitors saying your certs are untrusted. Things like Outlook not being able to encrypt or even sign email. Those issues are nothing though when you realize that Outlook 2010 won't even be able to connect to an Exchange Server using a cert with less than 1024 bits. So save yourself some headaches next month and update those key lengths now.

MS12-061 (KB 2719584)

IMPORTANT

Elevation of Privilege in Visual Studio Team Foundation Server

CVE-2012-1892

Visual Studio Team Foundation Server allows users to easily share project plans, work products, and progress assessments and a whole bunch of other stuff. There is are flecked XSS (Cross Site Scripting) vulnerability though that could allow a bad guy to inject a client side script into a web browser that is using Team Foundation Server web access. Basically that would allow the bad guy increased privileges if a user clicks a specially crafted link in an email or on a website. Once the script is installed the bad guy could then spoof content, steal information or do anything that the original user could do. If for some reason you can't apply this patch at the very least you should enable the XSS filter in local intranet security zone for IE 8 and 9. You can find this from the Tools menu -> Security Tab-> Local intranet -> Custom Level -> Settings -> Scripting ->Enable XSS filter. But it is so much easier to just apply the patch.

MS12-062 (KB 2741528)

IMPORTANT

Elevation of Privilege in System Center Configuration Manager

CVE-2012-2536

System Center Configuration Manager helps organizations maintain corporate compliance by managing physical, virtual, and mobile clients with things like application delivery, desktop virtualization, security and other cool stuff. However there is a vulnerability that can be exploited by tricking a user into visiting a specially crafted URL. Like MS12-061 this one is also a reflected XSS vulnerability, which could allow the bad guys code torun. Again if you can't install this patch be sure to at least enable the XSSfilter in IE 8 and 9.

Researchers at Trustwave Spiderlabs are actively investigating these bulletins thoroughly, using the information from Microsoft and other sources to develop protections for our customers against these threats as quickly as we can.

Now, go update those certs!