While this month’s Patch Tuesday saw a reprieve in the typical onslaught of critical system patches, Microsoft plans to unleash a major update next month that will invalidate old security encryption. Microsoft has been planning to introduce a change to their security certificate program since June when the Flame malware became a problem. The Flame malware toolkit exploited weak encryption algorithms to create fraudulent Microsoft certificates that spoofed the Windows Update. At that time Microsoft patched the security flaws in their systems but after a wide scale audit discovered that infiltration was still possible with a sophisticated enough attack. In order to combat the problem Microsoft will make Security Advisory 2661254 mandatory and RSA keys with less than 1024 bits will no longer function with Microsoft products.
The security update will be installed automatically via Windows update in early October and IT admins as well as general users should be aware of the consequences. Outlook 2010 will be unable to connect to a Microsoft Exchange server that is using an RSA certificate that has a key length of less than 1024 bits for SSL/TLS. Microsoft reports that attempting to do so will result in the error message:
“Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate. The security certificate is not valid. The site should not be trusted.”