While this month’s Patch Tuesday saw a reprieve in the typical onslaught of critical system patches, Microsoft plans to unleash a major update next month that will invalidate old security encryption. Microsoft has been planning to introduce a change to their security certificate program since June when the Flame malware became a problem. The Flame malware toolkit exploited weak encryption algorithms to create fraudulent Microsoft certificates that spoofed the Windows Update. At that time Microsoft patched the security flaws in their systems but after a wide scale audit discovered that infiltration was still possible with a sophisticated enough attack. In order to combat the problem Microsoft will make Security Advisory 2661254 mandatory and RSA keys with less than 1024 bits will no longer function with Microsoft products.
The security update will be installed automatically via Windows update in early October and IT admins as well as general users should be aware of the consequences. Outlook 2010 will be unable to connect to a Microsoft Exchange server that is using an RSA certificate that has a key length of less than 1024 bits for SSL/TLS. Microsoft reports that attempting to do so will result in the error message:
“Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate. The security certificate is not valid. The site should not be trusted.”
Two potential error messages as result of the update.
Additionally, any website accessed with an outdated security certificate will result in a security alert when viewed in Internet Explorer or Google Chrome. Microsoft products affected by the update include Windows 7, Windows Server 2008, Vista, MS Server 2003 and Windows XP.
Because of the scale of the update and the number of systems that can be affected by the new security restrictions it is advisable that you prepare your office for the update in advance. If you haven’t already, check to ensure that all of your systems use encryption greater than 1024 bits and update any faulty certificates as necessary.
– Richard Keene
IT Computer Support of New York
Design and Optimization Department
This issue just happened to me, and I now can’t access my email with Outlook 2010 after installed that windows update. If I can’t wait for the certificate to be updated at the server, Is there any workaround to bypass this?
If you’re on a personal computer it’s possible that you would be able to roll back the update and post pone the patch through your System and Security Control Panel. Be warned though, this can cause other problems and should only be done if absolutely necessarily. If your updates are managed by someone else then you are out of luck and will have to wait.
Before you do anything you should contact the system administrator of your current email server and let them know the problems you are having. Chances are they can either help you directly or are aware of the problem and will have it fixed soon.