Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Microsoft to release five fixes and restrict MD5 hash on Patch Tuesday

Microsoft's upcoming Patch Tuesday will bring five fixes, two of them deemed critical, to vulnerabilities that could allow for remote code execution, elevation of privilege, information disclosure and denial-of-service.

The first critical fix will address issues in Windows 7, 8, 8.1, and RT, as well as Windows Server 2008 and 2012, according to the advance notification. The second critical fix addresses a flaw in Microsoft Forefront Protection 2010 for Exchange Server. 

Microsoft defines critical vulnerabilities as those that could allow for code execution without any user interaction, meaning a user could become infected or otherwise compromised without ever even knowing it.

“With only five bulletins, it is quite small again for the second time this year with January's four-bulletin release,” Wolfgang Kandek, Qualys CTO, told SCMagazine.com in a Thursday email. “Also for the second time, there is no update to Internet Explorer, which we have grown to become accustomed to see in the monthly releases.”

The upcoming Feb. 11 Patch Tuesday falls on the same day Microsoft plans to release an update that restricts the use of the MD5 hash algorithm, a popular cryptographic hash function that creates a 128-bit hash value.

“Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes,” according to an August 2013 Microsoft advisory

The release adds, “Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.