Microsoft Delivers Light Patch Tuesday Update

Microsoft has delivered just two security patches in its 11 September Patch Tuesday security update.

The patches fix a pair of cross-site scripting flaws in two of its server products, but security researchers are more focused on an update coming in October that will restrict applications that use encryption keys with a length smaller than 1,024 bits.

Light Patch

The September Patch Tuesday update fixes issues in the Microsoft’s Visual Studio Team Foundation Server and the System Center Configuration Manager.

Both issues are cross-site scripting vulnerabilities, a class of flaw that allows a script on the client to access resources on the current site or server. Because the products are not widely used in companies, the risk from the vulnerabilities is fairly low, said Jason Miller, manager of research and development for virtualisation software maker VMWare.

“They are both server-type products, and in a typical organisation … they are not going to be widely deployed,” said Miller. “If you take a look at vulnerabilities that are being exploited – they are cross-site scripting attacks – which means the attacker is going to need to know something to pull off an exploit on this.”

Looking Ahead

Rather than focus on the two bulletins released by Microsoft on its regularly scheduled patch day, most security researchers warned companies to take stock of their digital certificates and how an October update could affect their systems.

The patch will fix an issue that two researchers revealed at the Def Con 20 hacking conference in July. In a presentation, security researcher Moxie Marlinspike showed off an add-on to his CloudCracker, an encryption-breaking service that allows anyone to retrieve the keys to certain types of encryption technology. In July, the researcher added the ability to break Microsoft’s Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), on which many virtual private network clients rely. VPNs that use the popular point-to-point tunnelling protocol (PPTP) can have their keys reliably retrieved in less than a day.

Microsoft patch, originally published to its download site in August, fixes the issue, but has already caused some problems when a certificate uses a key with less than 1,024 bits. Websites that use short-key certificates will display error messages in some cases. In other instances, applications, ActiveX controls and S/MIME email messages that were signed with a certificate of less than 1,024 bits will all cause issues.

Certificate Worry

“Organisations should take advantage of this light patch month so they can focus on updating their legacy certificates,” Marcus Carey, security researcher at Rapid7, said in a statement.

Microsoft itself made the same recommendations to its users in an advisory released in August and a blog post last week.

“Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time,” Angela Gunn, a spokeswoman for Microsoft’s Trustworthy Computing group, said in the recommendations.

Are you a security expert? Try our quiz!

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

1 hour ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

18 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

21 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

22 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

23 hours ago