NIERO@net e.K. – Corporate Blog

Ihr Weg zu strategischer SMB IT beginnt mit Managed Services

Updates aus der Vergangenheit und 1024Bit-Keys

Neben den 7 Bulletins für 20 Schwachstellen in Microsoft Windows, SQL Server und Office inklusive SharePoint, Lync, Microsoft Works (EoL ab dieser Woche) und InfoPath veröffentlicht (1 Critical-class und 7 Important-class), gibt es zwei Dinge für Oktober zu berücksichtigen:

1. Das in Microsoft Security Advisory (2661254) “Update For Minimum Certificate Key Length” beschrieben Update wird jetzt automatisch verteilt. Hiermit wird bei allen digitalen Zertifikaten eine minimale RSA key Länge von mindestens 1024 Bits vorausgesetzt.

Dies kann gemäß KB2661254 die folgenden Auswirkungen haben:

After the update is applied:

· A restart is required.

· A certification authority (CA) cannot issue RSA certificates that have a key length of less than 1024 bits.

· CA service (certsvc) cannot start when the CA is using an RSA certificate that has a key length of less than 1024 bits.

· Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.

· Outlook 2010 cannot be used to encrypt email if it is using an RSA certificate that has a key length of less than 1024 bits. However, email that has already been encrypted by using an RSA certificate with key length that is less than 1024 bits can be decrypted after the update is installed.

· Outlook 2010 cannot be used to digitally sign email if it is using an RSA certificate that has a key length that is less than 1024 bits.

· When email is received in Outlook 2010 that has a digital signature or is encrypted by using an RSA certificate that has a key length of less than 1024 bits, the user receives an error that states that the certificate is untrusted. The user can still view the encrypted or signed email.

· Outlook 2010 cannot connect to a Microsoft Exchange server that is using an RSA certificate that has a key length of less than 1024 bits for SSL/TLS. The following error is displayed: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate. The security certificate is not valid. The site should not be trusted."

· Security warnings of "Unknown Publisher" are reported, but installation can continue in the following cases:

o Authenticode signatures that were time stamped on January 1, 2010 or on a later date, and that are signed with a certificate by using an RSA certificate that has a key length of less than 1024 bits are encountered.

o Signed installers signed by using an RSA certificate that has a key length of less than 1024 bits.

o ActiveX controls signed by using an RSA certificate that has a key length of less than 1024 bits. Active X controls already installed before you install this update will not be affected.

· System Center HP-UX PA-RISC computers that use an RSA certificate with a 512 bit key length will generate heartbeat alerts and all Operations Manager monitoring of the computers will fail. An "SSL Certificate Error" will also be generated with the description "signed certificate verification." Also, Operations Manager will not discover new HP-UX PA-RISC computers because of a "signed certificate verification" error. System Center customers who have HP-UX PA-RISC computers are encouraged to reissue RSA certificates with key lengths of at least 1024 bits. For more information, go to the following TechNet webpage:

IMPORTANT: HP-UX PA-RISC computers monitored by Operations Manager will experience heartbeat and monitoring failures after an upcoming Windows update

(http://blogs.technet.com/b/momteam/archive/2012/08/01/important-hp-ux-pa-risc-computers-monitored-by-operations-manager-will-experience-heartbeat-and-monitoring-failures-after-an-upcoming-windows-update.aspx)

Note EFS encryption is not affected by this update.

2. Darüber hinaus hat Microsoft Microsoft Security Advisory (2749655) „Compatibility Issues Affecting Signed Microsoft Binaries“ veröffentlicht und mit KB2749655 ein non-security update bereitgestellt, welches hilft, die Kompatibilität zwischen Windows und den betroffenen Dateien zu gewährleisten.

Im gleichen Zusammenhang wurden die folgenden Updates erneut veröffentlicht:

List of available rereleases

In some cases, to best meet customer needs, Microsoft is addressing this issue by rereleasing affected updates.

· On October 9, 2012, Microsoft rereleased the KB723135 update for Windows XP. For more information, see MS12-053.

· On October 9, 2012, Microsoft rereleased the KB2705219 update for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see MS12-054.

· On October 9, 2012, Microsoft rereleased the KB2731847 update for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see MS12-055.

· On October 9, 2012, Microsoft rereleased the updates for Microsoft Exchange Server 2007 Service Pack 3 (KB2756496), Microsoft Exchange Server 2010 Service Pack 1 (KB2756497), and Microsoft Exchange Server 2010 Service Pack 2 (KB2756485). For more information, see MS12-058.

· On October 9, 2012, Microsoft rereleased the KB2661254 update for Windows XP. For more information, see Microsoft Security Advisory 2661254.

Note regarding the impact of not installing a rereleased update
Customers who installed the original updates are protected from the vulnerabilities addressed by the updates. However, because improperly signed files, such as executable images, would not be considered correctly signed after the expiration of the CodeSign certificate used in the signing process of the original updates, Microsoft Update may not install some security updates after the expiration date. Other effects include, for example, that an application installer may display an error message. Third-party application whitelisting solutions may also be impacted. Installing the rereleased updates remediates the issue for the affected updates.

Der Hintergrund ist ein Fehler des Product Release and Security Services (PRSS) team, welches zwischen dem 12 Juni 2012 und dem 14. August 2012 veröffentlichte Dateien mit einem fehlerhaften code-signing-Zertifikat versehen hatte. Diesem Zertifikat fehlte ein wichtiges Attribut, was dafür sorgt, dass die digitale Signatur ungültig wird, wenn der Signaturschlüssel abläuft. Das führt dazu, dass diese Dateien nicht mehr als gültig und vertrauenswürdig eingestuft werden.

Ansonsten gilt es die folgenden Quellen zu lesen:

Ach ja, unabhängig vom Patchday ist vielleicht noch das Folgende interessant:

KB 2734608 („An update for Windows Server Update Services 3.0 Service Pack 2 is available“). Dieses Update löst die folgenden Probleme:

This update lets servers that are running Windows Server Update Services (WSUS) 3.0 SP2 provide updates to computers that are running Windows 8 or Windows Server 2012.

This update fixes the following issues:

· Installation of update 2720211 may fail if Service Pack 2 was previously uninstalled and then reinstalled.

· After you install update 2720211, health monitoring may fail if the WSUS server is configured to use SSL.

Additionally, this update includes the following fixes:

· 2530678

(http://support.microsoft.com/kb/2530678/ )

System Center Update Publisher does not publish customized updates to a computer if WSUS 3.0 SP2 and the .NET Framework 4 are installed

· 2530709

(http://support.microsoft.com/kb/2530709/ )

"Metadata only" updates cannot be expired or revised in WSUS 3.0 SP2

· 2720211

(http://support.microsoft.com/kb/2720211/ )

An update for Windows Server Update Services 3.0 Service Pack 2 is available

10. Oktober 2012 - Posted by | Microsoft Windows Server Update Services (WSUS), Patching, Security | , , , , , , ,

Die Kommentarfunktion ist zur Zeit leider deaktiviert.

Folgen

Erhalte jeden neuen Beitrag in deinen Posteingang.

Schließe dich 213 Followern an