Well it’s Microsoft’s Patch Tuesday as many people know. While this is a monthly event, this month’s release has a “critical” component that may have had some organizations scrambling a bit. The critical patch in question, disclosed in Security Advisory 2661254 is an update that addresses vulnerabilities affecting FAST Search Server 2010 and Microsoft Exchange requiring RSA key lengths at a minimum 1,024 bits. The change has been brought about to address a significant security flaw famously exploited by the Flame cyber-espionage incident that disrupted PKI certificate security and infiltrated Windows Update to authorize the installation of malware. The community has had ample time to prepare for the update, as September was a reasonably minor Patch Tuesday month and warnings about this update started back in June. Still, organizations with legacy certificates in their environment have had to work towards updating the elements in preparation for today’s update and hopefully have done so already.
With this enforcement, a number of effects could be felt if you have not located and replaced all encryption keys less than 1,024 bits in length. Things like error messages, application failures and outages could be in store for some. Six other patches are listed as “important” and affect a number of Microsoft products such as Lync, Office, and SQL Server. As noted in an article on the Wikibon blog, the most secure best practice aims wherever possible is to increase the security to 2048 bit level to meet the National Institute of Standards and Technology (NIST) advised standards. Back in January 2011, NIST recommended a standard of 2048 bits, leaving the 1024 bit standard as deprecated. Naturally, technical capacity and impact must be tactfully observed before making that next level jump.
Events like these often force organizations to do some refreshed inventory and beneficial upgrade. That is especially true in organizations that have little focus on environmental management and in this case, security. So on that note, chalk a win up to the Microsoft Patch Tuesday update process. Any organization that doesn’t update is at risk to certificate-based malware attack and may be looking at significant disruption across the business on everything from email to applications. Addressing Microsoft-based certificate issues at this point in time does much to address a certain percentage of elements in the wild and is a welcome step, however there are many organizations that do not strictly employ Microsoft technology and weak crypto keys and certificates can come from many other sources. This makes all the more compelling narrative to getting better security in place whenever possible and to set up effective management and reporting as well.