Microsoft pushes two patches and new cert requirement

Microsoft on Tuesday released a security update for two vulnerabilities, both categorized as "important."

The update will address a Visual Studio Team Foundation Server flaw, which permit privilege escalation for attackers if they visit a malicious web page.

A vulnerability in System Center Configuration Manager was also patched. This could allow similar privilege elevations.

None of the issues addressed were known to be under active exploit, according to a blog post at Microsoft Security Response Center.

Marcus Carey, a security researcher at vulnerability management and penetration testing company Rapid7, told SCMagazine.com in prepared email comments that the bulletins were low risk to most organizations, but that employees should never be allowed to browse the internet or check email from servers on which this software could reside.

“To be able to exploit these vulnerabilities, an attacker would craft a malicious link for a victim to click on, allowing them to compromise the victim's system,” Carey said. "It's always a good idea to educate employees [or] end-users on how to spot and avoid suspect links."

The update also includes a new certificate requirement that RSA keys be a minimum of 1,024 bits in length. The new rule resulted from the sophisticated Flame virus, in which attackers beat weak crypto algorithms to spread onto target networks.