Microsoft Delivers Light Patch Tuesday Update

Microsoft has delivered just two security patches in its 11 September Patch Tuesday security update.

The patches fix a pair of cross-site scripting flaws in two of its server products, but security researchers are more focused on an update coming in October that will restrict applications that use encryption keys with a length smaller than 1,024 bits.

Light Patch

The September Patch Tuesday update fixes issues in the Microsoft’s Visual Studio Team Foundation Server and the System Center Configuration Manager.

Both issues are cross-site scripting vulnerabilities, a class of flaw that allows a script on the client to access resources on the current site or server. Because the products are not widely used in companies, the risk from the vulnerabilities is fairly low, said Jason Miller, manager of research and development for virtualisation software maker VMWare.

“They are both server-type products, and in a typical organisation … they are not going to be widely deployed,” said Miller. “If you take a look at vulnerabilities that are being exploited – they are cross-site scripting attacks – which means the attacker is going to need to know something to pull off an exploit on this.”

Looking Ahead

Rather than focus on the two bulletins released by Microsoft on its regularly scheduled patch day, most security researchers warned companies to take stock of their digital certificates and how an October update could affect their systems.

The patch will fix an issue that two researchers revealed at the Def Con 20 hacking conference in July. In a presentation, security researcher Moxie Marlinspike showed off an add-on to his CloudCracker, an encryption-breaking service that allows anyone to retrieve the keys to certain types of encryption technology. In July, the researcher added the ability to break Microsoft’s Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), on which many virtual private network clients rely. VPNs that use the popular point-to-point tunnelling protocol (PPTP) can have their keys reliably retrieved in less than a day.

Microsoft patch, originally published to its download site in August, fixes the issue, but has already caused some problems when a certificate uses a key with less than 1,024 bits. Websites that use short-key certificates will display error messages in some cases. In other instances, applications, ActiveX controls and S/MIME email messages that were signed with a certificate of less than 1,024 bits will all cause issues.

Certificate Worry

“Organisations should take advantage of this light patch month so they can focus on updating their legacy certificates,” Marcus Carey, security researcher at Rapid7, said in a statement.

Microsoft itself made the same recommendations to its users in an advisory released in August and a blog post last week.

“Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time,” Angela Gunn, a spokeswoman for Microsoft’s Trustworthy Computing group, said in the recommendations.

Are you a security expert? Try our quiz!

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago