Skip the navigation

Microsoft gives users a patch break, and time to prep for certificate slaying

Use the light Patch Tuesday to get ahead of key invalidation update slated for October, say experts

September 6, 2012 04:16 PM ET

Computerworld - Microsoft today said it will issue two security updates next week for its Visual Studio development platform and its System Center Configuration Manager, the company's enterprise patch and software distribution console.

The Redmond, Wash. developer outlined the two bulletins, company-speak for its security updates, in today's advance notification.

The light month -- in August, for instance, Microsoft shipped nine updates -- will give IT admins time to prepare for an October update that invalidates all certificates with keys less than 1,024 bits long.

"Customers will want to take advantage of September's quiet bulletin cycle to review their asset inventories," said Angela Gunn of the Trustworthy Computing group, in a Thursday blog post.

Microsoft first told users that it was going to disable all digital certificate keys shorter than 1,024 bits in June, saying then that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update last month, but made it an optional download. On Oct. 9, next month's Patch Tuesday, Microsoft will add the update to the Windows Update stream, effectively pushing it to everyone.

Companies can, of course, delay the October update using patch management software, such as Windows Server Update Service (WSUS).

Andrew Storms, director of security operations at nCircle Security, echoed Microsoft's advice to use the breathing room of this month's light patch schedule to prepare for the October key-length update. "It's crunch time," he said. "It's one of those things that people may have forgotten about, and if [the October update] is approved, then things could break."

Storms posted an entry on nCircle's blog today that included links to several articles and support documents on Microsoft's site that explain the key invalidation update scheduled for next month.

Other security experts backed up Storms.

"For most IT shops, this will be a slow month, providing a great opportunity to...take another look at Security Advisory 2661254 (KB2661254), which will go into automatic-install mode in October," said Wolfgang Kandek, CTO of Qualys, in an email, referring to the key-length deprecation.

Marcus Carey, a security researcher at Rapid7, agreed. "The light patch month in September will allow organizations to prepare for this, which is great as it has the potential to break things if applications are still using outdated certificates," said Carey, also in an email. "It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."

That's certainly possible, said Storms. "They could have made an administrative decision to delay other updates to give enterprises time [to work on their certificates]," he said.

Our Commenting Policies