ISC Diary

We only expect two bulletins from Microsoft tomorrow [1]. Both bulletins are rated important. The first one affects Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, and the second one affects Microsoft Systems Management Server 2003 Service Pack 3  as well as Microsoft System Center Configuration Manager 2007 Service Pack 2. 

While these are popular software packages, they are far less popular then some of the usual suspects (Office, Windows, Internet Explorer). In part, the low number of bulletins appears to be intentional, to not distract from the more complex issue which will affect Windows users starting with the October update set: Windows will no longer allow SSL certificates with RSA keys that are less then 1024 bits in length. The update is already available to allow for testing, but in October, it will be pushed as a patch.

The reason Microsoft is so careful with this update is that it will not just effect certificates issues by Microsoft and other well known certificate authorities, but it will also affect internal certificates. For example if you are using an internal certificate authority, and created certificates with insufficient key sizes to sign e-mail messages via S/MIME, these certificates will no longer work after you applied the update [3].

As a first step, you should install the patch on a test system, and watch for any problems. You should also carefully inventory your certificates, in particular if you are using non-standard (internal) certificate authorities. As you are recreating new certificates, DO NOT create 1024 bit RSA keys. Windows will still accept them, but 1024 bits is an absolute minimum size, and not necessarily sufficient. 2048 or 4096 bits is the size you should try to use. 

[1] technet.microsoft.com/en-us/security/bulletin/ms12-sep
[2] technet.microsoft.com/en-us/security/advisory/2661254
[3] support.microsoft.com/kb/2661254

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter