While Microsoft's September Patch Tuesday is being characterised as a "walk in the park," the upcoming October counterpart is likely to be a completely different story.
"Next month, Microsoft intends to introduce a change in their certificate strategy that they have been planning since the June timeframe when the Flame malware was abusing Microsoft certificates," said Wolfgang Kandek, CTO of security company Qualys.
"Microsoft fixed that, but then went on to a larger-scale audit of what the potential exposures might be. They will be moving towards certificates with longer keys because the shorter ones are much easier to forge. So we can expect that anything with less than 1,024 bits is not likely to be seen as secure communication anymore and will be subject to upgrade. Best practices for key-length are currently at 2,048 bits."
Failure to comply could lead to increased error messages, problems with enrolling certificates, difficulties with S/MIME messages and complications installing Active X controls.
Meanwhile, a separate vulnerability continues to be watched closely. A pair of issues with Java 7 was apparently patched by Oracle, but at least one research organisation has discovered new vulnerabilities that seem to have emerged as a result of the patch, itself. At this point, there is no word on whether Oracle intends to issue new patches, although the most recent one was made available without pre-announcement.
"The problem with Java is that it's extremely prevalent, and you can trick it into running by persuading someone to visit a particular web page," said Alex Horan, senior product manager at Core Security. "You have to work with the principle that there is always a vulnerability in those third-party packages and not rely on the vendors to keep them patched. You should have something to contain any compromise as soon as it happens."
The September Patch Tuesday preview, however, is shaping up to be a fairly simple one with only two bulletins in a list that is usually much longer.
Both are rated as "important" and relate to privilege escalation vulnerabilities, which usually imply that the attacker already has some malware on the system in order to conduct the exploit.
The first bulletin is believed to impact FoxPro, requiring the installation of Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1. The second bulletin is believed to be aimed at System Management Server and the installation of a new service pack.
"They are not high profile and the severity is not high," said Kandek. "But you still have to be attentive. You need to have a good inventory of the software that's actually installed on your enterprise. FoxPro is a little bit more likely to escape the attention of an IT administrator. But the System Management Server is not likely to slip through the cracks."
Meanwhile Horan warns that cyber criminals often take advantage of low-intensity vulnerabilities that IT administrators and channel partners may be slow to patch.
"In terms of deployment, it just means that you're touching fewer servers, which from an administrator standpoint is a good thing," he said.
"A lot of people don't put a high priority on elevation of privilege vulnerabilities, but they truly are a big deal because people usually take longer to patch them, and it's relatively easy to trick someone into running something for you that opens up an opportunity. So as an attacker, a privilege escalation vulnerability is pretty useful."
This article originally appeared at crn.com
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.