Microsoft has delivered just two security patches in its 11 September Patch Tuesday security update.
The patches fix a pair of cross-site scripting flaws in two of its server products, but security researchers are more focused on an update coming in October that will restrict applications that use encryption keys with a length smaller than 1,024 bits.
The September Patch Tuesday update fixes issues in the Microsoft’s Visual Studio Team Foundation Server and the System Center Configuration Manager.
Both issues are cross-site scripting vulnerabilities, a class of flaw that allows a script on the client to access resources on the current site or server. Because the products are not widely used in companies, the risk from the vulnerabilities is fairly low, said Jason Miller, manager of research and development for virtualisation software maker VMWare.
“They are both server-type products, and in a typical organisation … they are not going to be widely deployed,” said Miller. “If you take a look at vulnerabilities that are being exploited – they are cross-site scripting attacks – which means the attacker is going to need to know something to pull off an exploit on this.”
Rather than focus on the two bulletins released by Microsoft on its regularly scheduled patch day, most security researchers warned companies to take stock of their digital certificates and how an October update could affect their systems.
Microsoft patch, originally published to its download site in August, fixes the issue, but has already caused some problems when a certificate uses a key with less than 1,024 bits. Websites that use short-key certificates will display error messages in some cases. In other instances, applications, ActiveX controls and S/MIME email messages that were signed with a certificate of less than 1,024 bits will all cause issues.
“Organisations should take advantage of this light patch month so they can focus on updating their legacy certificates,” Marcus Carey, security researcher at Rapid7, said in a statement.
Microsoft itself made the same recommendations to its users in an advisory released in August and a blog post last week.
“Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time,” Angela Gunn, a spokeswoman for Microsoft’s Trustworthy Computing group, said in the recommendations.
Are you a security expert? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…