April 20, 2014

No Critical priority vulnerabilities to be fixed by Microsoft for September’s Patch Tuesday

(LiveHacking.Com) – Microsoft has issued its advanced nofiticaton outlining the security bulletins that it will release for September’s Patch Tuesday. This month’s release will only contain two bulletins, both of which have the severity ratings of important. The bulletins affect Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2. Both bulletins address elevation of privileges vulnerabilities.

Microsoft has also published a heads-up concerning the minimum key length of  Public Key Infrastructure (PKI) certificates. Microsoft is increasing the requirement for certificates used in PKI to an RSA key length minimum of 1024 bits. In June, Microsoft  announced the availability of an update to Windows (via the Download Center as well as the Microsoft Update Catalog) that restricts the use of certificates with RSA keys less than 1024 bits in length. Microsoft is now planning to release this update through Microsoft Update in October, 2012.

“By raising the bar of our certificate requirements, as part of our ongoing work to evaluate Microsoft’s security efforts and make improvements, we aim to help create a safer more trusted Internet for everyone,” wrote Angela Gunn on the Microsoft Security Response Center blog.

“We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organisation is aware of and prepared to resolve any known issues prior to October,” continued the post.

The release of September’s bulletins is scheduled for Tuesday, September 11, 2012.

Stolen Certificate Used to Sign Malware

(LiveHacking.Com) -  A certificate stolen from the Malaysian Agricultural Research and Development Institute, which was taken “quite some time ago”, has turned up as the digital signature used on a piece of malware known as Trojan-Downloader:W32/Agent.DTIW.

The malware, which spreads via malicious PDF files that install it after exploiting holes in Adobe Reader 8, downloads additional malicious components from a server called worldnewsmagazines.org.

By using a private signing certificate that belongs to the Malaysian government the malware is able to bypass the warnings issued by Windows about untrusted software.

According to F-Secure, who discovered the malware signed with the a stolen certificate:

It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.

The use of digital certificates and the role of Certificate Authorities (CA) continues to be a hot topic following several well publicized security breaches (Diginotar and Comodo) and the subsequent revoking of fraudulently issued certificates.

New Protection From Internet Routing Hijacking and Incorrect Addressing

The beginning of January saw the start of a new era for Internet routing. Well, it almost did. Four of the five Regional Internet Registries (RIRs) have deployed the Resource Public Key Infrastructure (RPKI), a robust security framework for verifying the association between resource holders and their Internet resources.

RIPE Network Coordination CentreThe RIRs, like the RIPE Network Coordination Centre (which is responsible for the European part of the Internet), provide Internet resource allocations, registration services and co-ordination activities. RPKI allows ISPs and network operators to verify the accuracy of routes on the Internet and to prevent fraudulent or erroneous misdirection of Internet traffic. A famous example of erroneous routing happened in 2008 when the YouTube web site was unavailable in several different parts of the world because Pakistan Telecom incorrectly co-opted YouTube’s IP address range as its own.

The only RIR not to implement RPKI yet is the American Registry for Internet Numbers (ARIN). According to their website their deployment has been delayed until “very early in the second quarter of 2011″.

Once AIRN is up and running the use of Resource Certificates will mean that worldwide each resource holder will own a certificate which lists the Internet resources (IPv4 addresses, IPv6 addresses, and Autonomous System Numbers) that are owned by the certificate holder (e.g. an ISP). The certificate are of course encrypted and by using the public keys associated with the certificate owner the list of Internet resources can be easily verified.