Light Patch Tuesday will include new encryption rule
Microsoft is giving IT administrators a break next week, with the software giant only planning to release two patches to remedy four vulnerabilities.
Each of the bulletins, to be distributed Tuesday afternoon EST, is rated "important," meaning they do not meet Microsoft's highest-severity designation of "critical," and address issues in Visual Studio Team Foundation Server and System Center Configuration Manager.
The big news out of next week's automatic update is that it will include new requirements that users must employ certificates carrying an RSA key length of at least 1,204 bits. Customers actually are encouraged to run certs with much higher key lengths, even beyond 2,048 bits.
This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.
"Though many have already moved away from such certificates, customers will want to take advantage of September's quiet bulletin cycle to review their asset inventories -- in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they 'still work' and have not had any cause for review for some time," wrote Angela Gunn of Microsoft Trustworthy Computing in a Thursday blog post.
She acknowledged that customers should be prepared for a number of known kinks, including error messages or other difficulties, when applying the key length update.
Andrew Storms, director of security operations for vulnerability management vendor nCircle, said administrators must take this update seriously.
"This means older, legacy systems that rely on weak encryption or keys that are too short will stop working," he said in prepared email comments sent to SCMagazine.com. "Fix ‘em now, or be seriously sorry when they stop working in October.”