Experts urge prep for Microsoft's cert-blocking update
Scan networks for too-short keys, audit systems, test Oct. update before it rolls out, urge security pros
Computerworld - Microsoft yesterday delivered two security updates that patched two vulnerabilities in Visual Studio Team Foundation Server and System Center Configuration Manager.
But security experts essentially ignored the updates -- with some telling users they could delay deploying them -- and again hammered home the message that enterprises should use the small slate to prepare for a potentially disruptive update Microsoft has scheduled for October.
Microsoft's pair of updates -- tagged as MS12-061 and MS12-062 -- were both rated "important," the company's second-highest threat ranking, and could be used by attackers to acquire elevated rights to a compromised system.
"These can safely be postponed until it's convenient to install them, maybe next month when Microsoft releases its October Patch Tuesday updates," said Wolfgang Kandek, CTO of Qualys, in an interview yesterday.
"I agree, there's no need to patch these immediately," said Amol Sarwate, manager of Qualys' vulnerability research lab.
Instead, said Kandek, Sarwate and other security professionals, Microsoft customers should use the next month to audit their networks for soon-to-be-crippled digital certificates, and to test the changes set to hit Windows Update on Oct. 9.
The move was triggered by the discovery of Flame, the sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the landscape, and pilfered information. Among its tricks was what one researcher called the "Holy Grail:" It spoofed Windows Update to infect completely-patched Windows PCs.
Microsoft reacted by killing off some of its own certificates and beefing up Windows Update's security. It also decided to harden the Windows certificate infrastructure by blocking access to certificates with keys shorter than 1,024 bits.
"With something that's this big of a change, everyone should be testing the [Oct. 9] update," urged Jason Miller, manager of research and development at VMware.
Microsoft first offered the update last month, posting it as a manual download on its Download Center, so it is available for testing.
Kandek recommended IT administrators scan their networks for digital certificate keys shorter than 1,024 bits. "For internal sites and other services that use certificates such as mail servers and VPNs, we recommend using a scanning tool with SSL support, which all major scanners include," Kandek said.
"The audit is going to be the big thing," said Miller. "But it's the amount of time to fix [uncovered problems] that could be drastic."
Most experts expected some fallout from next month's key-crippling update, but were cautiously optimistic that disruptions would impact a small number of firms and websites.
"I don't think there will be a lot of companies that are negatively affected," predicted Miller, "but some will be crippled."
Kandek and Sarwate of Qualys concurred.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts