Microsoft has delivered just two security patches in its 11 September Patch Tuesday security update.
The patches fix a pair of cross-site scripting flaws in two of its server products, but security researchers are more focused on an update coming in October that will restrict applications that use encryption keys with a length smaller than 1,024 bits.
The September Patch Tuesday update fixes issues in the Microsoft’s Visual Studio Team Foundation Server and the System Center Configuration Manager.
Both issues are cross-site scripting vulnerabilities, a class of flaw that allows a script on the client to access resources on the current site or server. Because the products are not widely used in companies, the risk from the vulnerabilities is fairly low, said Jason Miller, manager of research and development for virtualisation software maker VMWare.
“They are both server-type products, and in a typical organisation … they are not going to be widely deployed,” said Miller. “If you take a look at vulnerabilities that are being exploited – they are cross-site scripting attacks – which means the attacker is going to need to know something to pull off an exploit on this.”
Rather than focus on the two bulletins released by Microsoft on its regularly scheduled patch day, most security researchers warned companies to take stock of their digital certificates and how an October update could affect their systems.
Microsoft patch, originally published to its download site in August, fixes the issue, but has already caused some problems when a certificate uses a key with less than 1,024 bits. Websites that use short-key certificates will display error messages in some cases. In other instances, applications, ActiveX controls and S/MIME email messages that were signed with a certificate of less than 1,024 bits will all cause issues.
“Organisations should take advantage of this light patch month so they can focus on updating their legacy certificates,” Marcus Carey, security researcher at Rapid7, said in a statement.
Microsoft itself made the same recommendations to its users in an advisory released in August and a blog post last week.
“Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time,” Angela Gunn, a spokeswoman for Microsoft’s Trustworthy Computing group, said in the recommendations.
Are you a security expert? Try our quiz!
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…