Overview of Microsoft’s Digital Certificate Changes

Microsoft has been working quickly on a major change to how digital certificates are looked at from an operating system standpoint.  With these changes to digital certificates, Microsoft is assisting their users in hardening their environments from a security aspect.  This information has been released on Patch Tuesdays and there has been a LOT of information released.  So, you may need some help trying to decipher just exactly what is going on, how it affects you and what you need to do from an administrator standpoint.

I am going to first break this down by the date each was released so you can get a good idea of this whole process:

June 12
Microsoft announced an automatic updater that will check for certificates that have been blacklisted and moved as an untrusted certificate in the Disallowed Certificate Trust List (CTL).  At this time, the automatic updater is only available to newer Microsoft operating systems (Windows Vista, Windows 7, Windows 2008 R2).  This new tool will check daily for updates Microsoft may release for certificates.

The Windows PKI blog also released information, stating that Microsoft will be releasing an automatic certificate updater for all operating systems in August.

July 10
Microsoft releases Security Advisory 2728973.  This security advisory is a non-security update that moves all Microsoft digital certificates that are not more than 1024 bits in length to the untrusted certificate store.  At this time, Microsoft is only addressing Microsoft digital certificates that are not more than 1024 bits in length.  But, this will all change during the August 2012 Patch Tuesday.

In addition, Microsoft changed the digital certificate automatic updater (2677070), released during the June 2012 Patch Tuesday, to a critical non-security update.  By changing the severity of the non-security update, this update will show missing and install by default on Windows Update.

August 14 (what to expect)
Microsoft will be releasing a non-security update moving all digital certificates less than 1024 bits in length to the untrusted certificate store.  UPDATE:  The non-security update that will be released by Microsoft will block certificates (not move certificates).

Let’s take a look at some common questions administrators may have with all of these changes:

What are the most common issues I could face with the August 14th update?
The most common issue users could see is getting invalid certificate errors when browsing to secure websites that have a digital certificate less than 1024 bits in length.

What are all the issues that users could face with the August 14th update?
This is the full list from the Windows PKI blog:

•Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
•Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
•Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
•Installing Active X controls that were signed with less than 1024 bit signatures
•Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

Why are certificates under 1024 bits considered a risk?
Attackers could potential brute force crack any certificate less than 1024 bit in length.  This is becoming more of a threat as computer gain more and more processing power.  A process that once would take all of NASA’s computers to break could potentially be completed by an attacker armed with a few powerful computers.  The issue with less secure certificates is a common conversation that has been happening in the security industry.

Why is an automatic updater for certificates so important for me?
The Flame virus is a perfect example of how we all need help with digital certificate maintenance.  The Flame virus found a way to hijack a trusted, legitimate digital signature from Microsoft.  Once Microsoft identified this breach in the digital signature trust, they released a non-security update to move the digital certificate to the untrusted store.  With the automatic updater, Microsoft will be able to easily and rapidly approve and disapprove digital signatures.  This will help administrators as you will not have to watch for these non-security updates released by Microsoft.

The automatic updater for root certificates is only for bad/untrusted certificates?
The updater Microsoft released deals with both trusted and untrusted certificates.  Previously, Microsoft updated their certificates through the non-security update “Update for Root Certificates”.  This update typically comes out a few times per year on Patch Tuesday.  This is just another non-security update that you will not need to worry about with the automatic updater installed.

What are the administrators’ next steps with this change:

Be prepared
Identify any internal certificates used in your organization that are less than 1024 bits in length.  If any are found, make a plan to replace these certificates as soon as possible.  If you cannot make changes to these certificates between now and the August Patch Tuesday, hold off on applying this update for now.  Please note, this certificate change from Microsoft is a good security measure.  You should look at adopting this technology at your earliest convenience.

Inform your users and help desk
When you apply this certificate update change, it will be important to inform your help desk and users about this security change.  This will help identify any issues with this change as soon as possible and a quick turn around on a fix for your users.  With this major of a change, knowledge is power to users, help desk and admins.

Firewall implications
If you are running a locked down Internet environment where users are only allowed to get to certain web sites, you will need to add a couple of entries.  These URLs are static URLs the automatic updater will check in daily with:
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Stay informed
I will be updating this as new information becomes available.  We know more changes are coming during the August 2012 Patch Tuesday.  Watch Microsoft’s PKI blog, Microsoft SRD blog and Microsoft’s MSRC blog for more information.  To date, Microsoft has put out a lot of information on these changes to help their customers.

Resources:
There is a lot of information regarding this subject available from Microsoft.  Here are some key areas to review for more information.
Windows PKI Blog- Blocking RSA Keys Less than 1024 bits (part 2)
Windows PKI Blog- RSA keys under 1024 bits are blocked
Microsoft Security Research & Defense Blog-Microsoft’s continuing work on digital certificates

– Jason Miller

July 2012 Patch Tuesday Overview

Microsoft has released nine bulletins addressing 16 vulnerabilities in the July 2012 edition of Patch Tuesday.

The most important bulletin this month that administrators should look at addressing first and foremost is the Security Bulletin addressing a Zero-Day vulnerability in Microsoft XML Core Services (MS12-043).  During the June 2012 Patch Tuesday, Microsoft released a Security Advisory stating they were aware of active, but limited, attacks against vulnerability in Microsoft XML Core Services.  In the past week, the code for this exploit has been made public, making this patch even more important in terms of severity.  With this vulnerability, a user who browses to a malicious website with Internet Explorer can result in Remote Code Execution.

With the Security Advisory release, Microsoft offered their customers a few workarounds to mitigate the risk of an exploit happening on customer machines.  If you have applied the workaround to disable Active Scripting in Internet Explorer, administrators may want to remove this locked down setting after applying the patches for this bulletin to return functionality to their users.  A second option Microsoft provided to their customers is a FixIt tool that locked down MSXML with the Enhanced Mitigation Experience Toolkit (EMET).  With this scenario, administrators should investigate whether to leave this lock down in place as it should not (in most cases) interfere with their users’ day-to-day browsing functionality.

There is one last note with MS12-043 that administrators should be aware of:  Microsoft XML Core Services 5.0 contains the vulnerability, but a security bulletin has not been published for this version of the software.  Microsoft is still testing the code fix for the vulnerability and will make the patch available when it is ready.  Look for this patch to be available within the next two weeks or in the August 2012 Patch Tuesday.

Outside of MS12-043, there are two other bulletins that administrators will want to turn their focus on.  Both of these bulletins continue the trend of vulnerabilities that can be exploited through web site browsing.  Web browsing attacks through malicious websites is still the most common active attack.

We are seeing for the first time in a long time that Microsoft has gone consecutive months with a Cumulative Security Update for Internet Explorer.  Typically, we can expect an update to Microsoft’s Internet Explorer browser every other month.  Microsoft has released Security Bulletin MS12-044, a patch for Internet Explorer version 9, to address 2 vulnerabilities.  If a user browses to a malicious website with Internet Explorer 9, the attack could result in Remote Code Execution.

Continuing with the browser based attacks this month Microsoft released Security Bulletin MS12-045.  This security bulletin addresses two vulnerabilities with Microsoft Data Access Components (MDAC).  Similar to the previous security bulletins mentioned, navigating to a malicious website with an unpatched system can result in Remote Code Execution.  In addition, a user opening a Microsoft Office document with a malicious embedded ActiveX control can result in Remote Code Execution.

Microsoft also released two new security advisories.  Microsoft Security Advisory 2719662 is showing how Microsoft is assisting administrators on hardening their network.  Windows Vista and Windows 7 both include Windows Gadgets and Windows Sidebar.  Both of these technologies could allow a user to load a malicious plugin.  Microsoft has provided administrators a FixIt tool that disables Windows Gadgets and Windows Sidebar.  It appears Microsoft is taking a more proactive approach to “patching” versus the older their older model of patching.  As I state in all of my monthly webinars, if you do not use a program, remove it from the computer.  This FixIt tool is another example of reducing the vulnerability landscape on computers.

With the other Microsoft Security Advisory (KB2728973), Microsoft released even more updates for their hardening of digital certificate effort.  I will be talking later this week on this subject.

I will be going over the July Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar.  This webinar is scheduled for next Wednesday, July 11th at 11:00am CT. You can register for this webinar here.

– Jason Miller

July 2012 Patch Tuesday Advanced Notification

Microsoft has released their Advanced Notification for the upcoming July 2012 edition of Patch Tuesday.  During this round, Microsoft will be releasing nine bulletins addressing 16 vulnerabilities.

I am making the assumption that Microsoft will indeed be patching a vulnerability that has had limited zero-day attacks.  During the June 2012 Patch Tuesday, Microsoft released a Security Advisory (KB2719615) announcing a vulnerability in MSXML that had limited attacks against.  On Patch Tuesday, pay particular attention to see if this is the case of Microsoft releasing a patch for a Zero-Day vulnerability.

In addition, every computer on your network will face some type of patching this month.  One of the bulletins has quite a few products associated to it.

 Security Bulletin Breakdown:

  • 3 bulletins are rated as Critical
  • 6 bulletins are rated as Important
  • 5 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
  • 1 bulletin addressing vulnerabilities that could lead to Information Disclosure

 

Affected Products:

  • All supported versions of Microsoft Operating Systems
  • Microsoft Internet Explorer 9
  • All supported versions of Microsoft Office products (2003, 2007, 2010)
  • Microsoft InfoPath 2007, 2010
  • Microsoft SharePoint Server 2007, 2010
  • Microsoft Groove Server 2010
  • Microsoft SharePoint Services 3.0
  • Microsoft SharePoint Foundation 2010
  • Microsoft Office Web Apps 2010
  • Microsoft Visual Basic for Applications
  • Microsoft Visual Basic for Applications SDK

 I will be going over the July Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar.  In addition, I will be spending some time discussing the Flame virus situation.  This webinar is scheduled for next Wednesday, July 11th at 11:00am CT.  You can register for this webinar here.

 – Jason Miller