Microsoft gives users a patch break, and time to prep for certificate slaying
Use the light Patch Tuesday to get ahead of key invalidation update slated for October, say experts
Computerworld - Microsoft today said it will issue two security updates next week for its Visual Studio development platform and its System Center Configuration Manager, the company's enterprise patch and software distribution console.
The Redmond, Wash. developer outlined the two bulletins, company-speak for its security updates, in today's advance notification.
The light month -- in August, for instance, Microsoft shipped nine updates -- will give IT admins time to prepare for an October update that invalidates all certificates with keys less than 1,024 bits long.
"Customers will want to take advantage of September's quiet bulletin cycle to review their asset inventories," said Angela Gunn of the Trustworthy Computing group, in a Thursday blog post.
Microsoft first told users that it was going to disable all digital certificate keys shorter than 1,024 bits in June, saying then that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update last month, but made it an optional download. On Oct. 9, next month's Patch Tuesday, Microsoft will add the update to the Windows Update stream, effectively pushing it to everyone.
Companies can, of course, delay the October update using patch management software, such as Windows Server Update Service (WSUS).
Andrew Storms, director of security operations at nCircle Security, echoed Microsoft's advice to use the breathing room of this month's light patch schedule to prepare for the October key-length update. "It's crunch time," he said. "It's one of those things that people may have forgotten about, and if [the October update] is approved, then things could break."
Storms posted an entry on nCircle's blog today that included links to several articles and support documents on Microsoft's site that explain the key invalidation update scheduled for next month.
Other security experts backed up Storms.
"For most IT shops, this will be a slow month, providing a great opportunity to...take another look at Security Advisory 2661254 (KB2661254), which will go into automatic-install mode in October," said Wolfgang Kandek, CTO of Qualys, in an email, referring to the key-length deprecation.
Marcus Carey, a security researcher at Rapid7, agreed. "The light patch month in September will allow organizations to prepare for this, which is great as it has the potential to break things if applications are still using outdated certificates," said Carey, also in an email. "It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."
That's certainly possible, said Storms. "They could have made an administrative decision to delay other updates to give enterprises time [to work on their certificates]," he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts