While this month’s Patch Tuesday saw a reprieve in the typical onslaught of critical system patches, Microsoft plans to unleash a major update next month that will invalidate old security encryption. Microsoft has been planning to introduce a change to their security certificate program since June when the Flame malware became a problem. The Flame malware toolkit exploited weak encryption algorithms to create fraudulent Microsoft certificates that spoofed the Windows Update. At that time Microsoft patched the security flaws in their systems but after a wide scale audit discovered that infiltration was still possible with a sophisticated enough attack. In order to combat the problem Microsoft will make Security Advisory 2661254 mandatory and RSA keys with less than 1024 bits will no longer function with Microsoft products.

The security update will be installed automatically via Windows update in early October and IT admins as well as general users should be aware of the consequences. Outlook 2010 will be unable to connect to a Microsoft Exchange server that is using an RSA certificate that has a key length of less than 1024 bits for SSL/TLS. Microsoft reports that attempting to do so will result in the error message:

“Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate. The security certificate is not valid. The site should not be trusted.”

Two potential error messages as result of the update.

Additionally, any website accessed with an outdated security certificate will result in a security alert when viewed in Internet Explorer or Google Chrome. Microsoft products affected by the update include Windows 7, Windows Server 2008, Vista, MS Server 2003 and Windows XP.

Because of the scale of the update and the number of systems that can be affected by the new security restrictions it is advisable that you prepare your office for the update in advance. If you haven’t already, check to ensure that all of your systems use encryption greater than 1024 bits and update any faulty certificates as necessary.

– Richard Keene
IT Computer Support of New York
Design and Optimization Department