Microsoft has been working quickly on a major change to how digital certificates are looked at from an operating system standpoint. With these changes to digital certificates, Microsoft is assisting their users in hardening their environments from a security aspect. This information has been released on Patch Tuesdays and there has been a LOT of information released. So, you may need some help trying to decipher just exactly what is going on, how it affects you and what you need to do from an administrator standpoint.
I am going to first break this down by the date each was released so you can get a good idea of this whole process:
Microsoft announced an automatic updater that will check for certificates that have been blacklisted and moved as an untrusted certificate in the Disallowed Certificate Trust List (CTL). At this time, the automatic updater is only available to newer Microsoft operating systems (Windows Vista, Windows 7, Windows 2008 R2). This new tool will check daily for updates Microsoft may release for certificates.
The Windows PKI blog also released information, stating that Microsoft will be releasing an automatic certificate updater for all operating systems in August.
Microsoft releases Security Advisory 2728973. This security advisory is a non-security update that moves all Microsoft digital certificates that are not more than 1024 bits in length to the untrusted certificate store. At this time, Microsoft is only addressing Microsoft digital certificates that are not more than 1024 bits in length. But, this will all change during the August 2012 Patch Tuesday.
In addition, Microsoft changed the digital certificate automatic updater (2677070), released during the June 2012 Patch Tuesday, to a critical non-security update. By changing the severity of the non-security update, this update will show missing and install by default on Windows Update.
August 14 (what to expect)
Microsoft will be releasing a non-security update moving all digital certificates less than 1024 bits in length to the untrusted certificate store. UPDATE: The non-security update that will be released by Microsoft will block certificates (not move certificates).
Let’s take a look at some common questions administrators may have with all of these changes:
What are the most common issues I could face with the August 14th update?
The most common issue users could see is getting invalid certificate errors when browsing to secure websites that have a digital certificate less than 1024 bits in length.
What are all the issues that users could face with the August 14th update?
This is the full list from the Windows PKI blog:
•Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
•Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
•Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
•Installing Active X controls that were signed with less than 1024 bit signatures
•Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).
Why are certificates under 1024 bits considered a risk?
Attackers could potential brute force crack any certificate less than 1024 bit in length. This is becoming more of a threat as computer gain more and more processing power. A process that once would take all of NASA’s computers to break could potentially be completed by an attacker armed with a few powerful computers. The issue with less secure certificates is a common conversation that has been happening in the security industry.
Why is an automatic updater for certificates so important for me?
The Flame virus is a perfect example of how we all need help with digital certificate maintenance. The Flame virus found a way to hijack a trusted, legitimate digital signature from Microsoft. Once Microsoft identified this breach in the digital signature trust, they released a non-security update to move the digital certificate to the untrusted store. With the automatic updater, Microsoft will be able to easily and rapidly approve and disapprove digital signatures. This will help administrators as you will not have to watch for these non-security updates released by Microsoft.
The automatic updater for root certificates is only for bad/untrusted certificates?
The updater Microsoft released deals with both trusted and untrusted certificates. Previously, Microsoft updated their certificates through the non-security update “Update for Root Certificates”. This update typically comes out a few times per year on Patch Tuesday. This is just another non-security update that you will not need to worry about with the automatic updater installed.
What are the administrators’ next steps with this change:
Identify any internal certificates used in your organization that are less than 1024 bits in length. If any are found, make a plan to replace these certificates as soon as possible. If you cannot make changes to these certificates between now and the August Patch Tuesday, hold off on applying this update for now. Please note, this certificate change from Microsoft is a good security measure. You should look at adopting this technology at your earliest convenience.
Inform your users and help desk
When you apply this certificate update change, it will be important to inform your help desk and users about this security change. This will help identify any issues with this change as soon as possible and a quick turn around on a fix for your users. With this major of a change, knowledge is power to users, help desk and admins.
If you are running a locked down Internet environment where users are only allowed to get to certain web sites, you will need to add a couple of entries. These URLs are static URLs the automatic updater will check in daily with:
I will be updating this as new information becomes available. We know more changes are coming during the August 2012 Patch Tuesday. Watch Microsoft’s PKI blog, Microsoft SRD blog and Microsoft’s MSRC blog for more information. To date, Microsoft has put out a lot of information on these changes to help their customers.
There is a lot of information regarding this subject available from Microsoft. Here are some key areas to review for more information.
Windows PKI Blog- Blocking RSA Keys Less than 1024 bits (part 2)
Windows PKI Blog- RSA keys under 1024 bits are blocked
Microsoft Security Research & Defense Blog-Microsoft’s continuing work on digital certificates
– Jason Miller