Microsoft gives users a patch break, and time to prep for certificate slaying
Use the light Patch Tuesday to get ahead of key invalidation update slated for October, say experts
Computerworld - Microsoft today said it will issue two security updates next week for its Visual Studio development platform and its System Center Configuration Manager, the company's enterprise patch and software distribution console.
The Redmond, Wash. developer outlined the two bulletins, company-speak for its security updates, in today's advance notification.
The light month -- in August, for instance, Microsoft shipped nine updates -- will give IT admins time to prepare for an October update that invalidates all certificates with keys less than 1,024 bits long.
"Customers will want to take advantage of September's quiet bulletin cycle to review their asset inventories," said Angela Gunn of the Trustworthy Computing group, in a Thursday blog post.
Microsoft first told users that it was going to disable all digital certificate keys shorter than 1,024 bits in June, saying then that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update last month, but made it an optional download. On Oct. 9, next month's Patch Tuesday, Microsoft will add the update to the Windows Update stream, effectively pushing it to everyone.
Companies can, of course, delay the October update using patch management software, such as Windows Server Update Service (WSUS).
Andrew Storms, director of security operations at nCircle Security, echoed Microsoft's advice to use the breathing room of this month's light patch schedule to prepare for the October key-length update. "It's crunch time," he said. "It's one of those things that people may have forgotten about, and if [the October update] is approved, then things could break."
Storms posted an entry on nCircle's blog today that included links to several articles and support documents on Microsoft's site that explain the key invalidation update scheduled for next month.
Other security experts backed up Storms.
"For most IT shops, this will be a slow month, providing a great opportunity to...take another look at Security Advisory 2661254 (KB2661254), which will go into automatic-install mode in October," said Wolfgang Kandek, CTO of Qualys, in an email, referring to the key-length deprecation.
Marcus Carey, a security researcher at Rapid7, agreed. "The light patch month in September will allow organizations to prepare for this, which is great as it has the potential to break things if applications are still using outdated certificates," said Carey, also in an email. "It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."
That's certainly possible, said Storms. "They could have made an administrative decision to delay other updates to give enterprises time [to work on their certificates]," he said.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Market Overview: Digital Customer Experience Delivery Platforms Forrester states that businesses today struggle to understand and use the tools necessary to create and manage unified, multichannel digital customer experiences across...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts