Experts urge prep for Microsoft's cert-blocking update

Scan networks for too-short keys, audit systems, test Oct. update before it rolls out, urge security pros

Microsoft yesterday delivered two security updates that patched two vulnerabilities in Visual Studio Team Foundation Server and System Center Configuration Manager.

But security experts essentially ignored the updates -- with some telling users they could delay deploying them -- and again hammered home the message that enterprises should use the small slate to prepare for a potentially disruptive update Microsoft has scheduled for October.

Microsoft's pair of updates -- tagged as MS12-061 and MS12-062 -- were both rated "important," the company's second-highest threat ranking, and could be used by attackers to acquire elevated rights to a compromised system.

"These can safely be postponed until it's convenient to install them, maybe next month when Microsoft releases its October Patch Tuesday updates," said Wolfgang Kandek, CTO of Qualys, in an interview yesterday.

"I agree, there's no need to patch these immediately," said Amol Sarwate, manager of Qualys' vulnerability research lab.

Instead, said Kandek, Sarwate and other security professionals, Microsoft customers should use the next month to audit their networks for soon-to-be-crippled digital certificates, and to test the changes set to hit Windows Update on Oct. 9.

The move was triggered by the discovery of Flame, the sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the landscape, and pilfered information. Among its tricks was what one researcher called the "Holy Grail:" It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by killing off some of its own certificates and beefing up Windows Update's security. It also decided to harden the Windows certificate infrastructure by blocking access to certificates with keys shorter than 1,024 bits.

"With something that's this big of a change, everyone should be testing the [Oct. 9] update," urged Jason Miller, manager of research and development at VMware.

Microsoft first offered the update last month, posting it as a manual download on its Download Center, so it is available for testing.

Kandek recommended IT administrators scan their networks for digital certificate keys shorter than 1,204 bits. "For internal sites and other services that use certificates such as mail servers and VPNs, we recommend using a scanning tool with SSL support, which all major scanners include," Kandek said.

"The audit is going to be the big thing," said Miller. "But it's the amount of time to fix [and uncovered problems] that could be drastic."

Most experts expected some fallout from next month's key-crippling update, but were cautiously optimistic that disruptions would impact a small number of firms and websites.

"I don't think there will be a lot of companies that are negatively affected," predicted Miller, "but some will be crippled."

Kandek and Sarwate of Qualys concurred.

"There are very few [affected] keys out there, for a number of reasons," argued Kandek. "Certificate authorities have been giving out these keys [longer then 1,204 bits] for a while now. Basically, it they will be very old certificates obtained some time ago."

Certificates are generally valid for just one or two years, said Kandek, although there are exceptions. During Qualys' survey of website certificates, for example, the company found some keys that were valid for either three or five years.

"Embedded devices might be at risk," explained Sarwate. "Kiosks running an embedded version of Windows, for example, might not be updated with new certificates very often."

The most likely enterprise problem areas, added Miller, include VPN, or "virtual private network," gateways that workers use to establish a secure offsite connection with the company's network. Another potential trouble spot: Email servers.

"We recommend installing [Microsoft's update] on a limited number of internal machines in your organization this month to gather feedback on potential impacts," Kandek said.

IT administrators can, of course, back out the update if they later uncover problems they can't solve before Oct. 9. "You can remove that security update if necessary, and redeploy it later," said Miller.

Windows 8, which reached RTM (release to manufacturing) last month, and has been handed to enterprises for deployment, has the shorter-certificate blocking already in place.

"If anything, the most important thing is to get the word out," said Miller. "Microsoft has been talking about this since June, but I recently talked to two [IT administrators] and they had no idea that this was coming."

Microsoft will distribute the certificate key update on Oct. 9 through Windows Update and WSUS (Windows Server Update Services). Enterprise IT administrators can use WSUS or other patch management consoles, to block the update from reaching some or all PCs and servers.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts