Microsoft Issues XSS Patches, but Security Researchers Focus on Oct. Update
Microsoft issued two security patches Sept. 11, fixing a pair of cross-site scripting flaws in two of its server products, but security researchers focused on an update coming in October that will restrict applications that use encryption keys with a length smaller than 1,024 bits.
The September Patch Tuesday update fixes issues in the Microsoft's Visual Studio Team Foundation Server and the System Center Configuration Manager. Both issues are cross-site scripting vulnerabilities, a class of flaw that allows a script on the client to access resources on the current site or server. Because the products are not widely used in companies, the risk from the vulnerabilities is fairly low, said Jason Miller, manager of research and development for virtualization software maker VMWare.
"They are both server-type products, and in a typical organization ... they are not going to be widely deployed," said Miller. "If you take a look at vulnerabilities that are being exploited-they are cross-site scripting attacks-which means the attacker is going to need to know something to pull off an exploit on this."
Rather than focus on the two bulletins released by Microsoft on its regularly scheduled patch day, most security researchers warned companies to take stock of their digital certificates and how an October update could affect their systems.
The patch will fix an issue that two researchers revealed at the Def Con 20 hacking conference in July. In a presentation, security researcher Moxie Marlinspike showed off an add-on to his CloudCracker, an encryption-breaking service that allows anyone to retrieve the keys to certain types of encryption technology. In July, the researcher added the ability to break Microsoft's Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), on which many virtual private network clients rely. VPNs that use the popular point-to-point tunneling protocol (PPTP) can have their keys reliably retrieved in less than a day.
Microsoft patch, originally published to its download site in August, fixes the issue, but has already caused some problems when a certificate uses a key with less than 1,024 bits. Websites that use short-key certificates will display error messages in some cases. In other instances, applications, ActiveX controls and S/MIME e-mail messages that were signed with a certificate of less than 1,024 bits will all cause issues.
"Organizations should take advantage of this light patch month so they can focus on updating their legacy certificates," Marcus Carey, security researcher at Rapid7, said in a statement.
Microsoft itself made the same recommendations to its users in an advisory released in August and a blog post last week.
"Though many have already moved away from such certificates, customers will want to take advantage of September's quiet bulletin cycle to review their asset inventories â in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they 'still work' and have not had any cause for review for some time," Angela Gunn, a spokeswoman for Microsoft's Trustworthy Computing group, said in the recommendations.