Microsoft gives users a patch break, and time to prep for certificate slaying

Use the light Patch Tuesday to get ahead of key invalidation update slated for October, say experts

Microsoft today said it will issue two security updates next week for its Visual Studio development platform and its System Center Configuration Manager, the company's enterprise patch and software distribution console.

The Redmond, Wash. developer outlined the two bulletins, company-speak for its security updates, in today's advance notification.

The light month -- in August, for instance, Microsoft shipped nine updates -- will give IT admins time to prepare for an October update that invalidates all certificates with keys less than 1,024 bits long.

"Customers will want to take advantage of September's quiet bulletin cycle to review their asset inventories," said Angela Gunn of the Trustworthy Computing group, in a Thursday blog post.

Microsoft first told users that it was going to disable all digital certificate keys shorter than 1,024 bits in June, saying then that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update last month, but made it an optional download. On Oct. 9, next month's Patch Tuesday, Microsoft will add the update to the Windows Update stream, effectively pushing it to everyone.

Companies can, of course, delay the October update using patch management software, such as Windows Server Update Service (WSUS).

Andrew Storms, director of security operations at nCircle Security, echoed Microsoft's advice to use the breathing room of this month's light patch schedule to prepare for the October key-length update. "It's crunch time," he said. "It's one of those things that people may have forgotten about, and if [the October update] is approved, then things could break."

Storms posted an entry on nCircle's blog today that included links to several articles and support documents on Microsoft's site that explain the key invalidation update scheduled for next month.

Other security experts backed up Storms.

"For most IT shops, this will be a slow month, providing a great opportunity to...take another look at Security Advisory 2661254 (KB2661254), which will go into automatic-install mode in October," said Wolfgang Kandek, CTO of Qualys, in an email, referring to the key-length deprecation.

Marcus Carey, a security researcher at Rapid7, agreed. "The light patch month in September will allow organizations to prepare for this, which is great as it has the potential to break things if applications are still using outdated certificates," said Carey, also in an email. "It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."

That's certainly possible, said Storms. "They could have made an administrative decision to delay other updates to give enterprises time [to work on their certificates]," he said.

Microsoft used that same tactic in March 2007, said Storms, when it issued no security bulletins because it wanted to give customers time to apply a Daylight Saving Time update to Windows that had been prompted by widespread changes in the U.S.

Next week's slate will be smaller than in past Septembers, Storms noted: In 2011, Microsoft shipped five updates that month, while in 2010 and 2009, the company issued 10 and five, respectively.

The October update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, the sophisticated espionage tool discovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It managed to spoof Windows Update, Microsoft's update service, to infect completely-patched Windows PCs.

Microsoft reacted by killing off some of its own certificates and beefing up Windows Update's security.

During its investigation into Flame, Microsoft decided to harden the Windows certificate infrastructure. The result was its decision to block access to certificates with keys shorter than 1,024 bits.

"I'd bet that they always wanted to do this," said Storm, "but historically, Microsoft wants to support all their customers, even those with much older systems that rely on shorter keys. Because of Flame, they had a good reason to make this move."

Next week's update, while light, was still interesting to Storms, who noted that Patch Tuesday will not fix any flaws in Internet Explorer (IE), making this the first month in the last four to omit the browser.

In July, Microsoft announced it was ditching IE's every-other-month schedule, and would ship patches when they were ready.

Microsoft will release the two updates at approximately 1 p.m. ET on Sept. 11.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon