Security Advisory 2661254 - Update For Minimum Certificate Key Length
Before we get into the details of this month’s bulletin release, let’s take a look at an important change on how Windows deals with certificates that have RSA keys of less than 1024 bits in length.

We’ve been talking about this subject since June, and today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length with Security Advisory 2661254. As noted in the advisory, this update will be available in the Download Center as well as the Microsoft Update Catalog. This allows enterprise administrators to download and import the update into WSUS for testing before widely deploying the update throughout their enterprise. The security advisory includes instructions on how to configure the update and provides general guidance on what steps customers should take to become more secure. This update is planned to be released via Windows Update starting in October 2012.

For additional details on these defense-in-depth changes to how Windows deals with certificates please visit Public Key Infrastructure (PKI) blog.

Security Updates
For this Update Tuesday we are releasing nine security bulletins - five Critical-class and four Important – addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. For those who need to prioritize deployment, we recommend focusing on the these three critical updates first:

MS12-060 (Windows Common Controls)
Multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Office, SQL Server, Server Software, and Developer Tools. We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published. These are important factors to consider when determining deployment priority and Microsoft recommends that customers test and deploy this update as soon as possible.

MS12-052 (Internet Explorer)
This security update addresses four privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in the execution of code with the privileges of the current user. You may notice that one of the issues addressed in the Cumulative Security Update for Internet Explorer is also listed in MS12-056 for the JScript and VBScript Engines. Since this issue affects both IE and Windows components, you will need to apply both updates to ensure the issue has been addressed on your system.

MS12-054 (Windows Networking Components)
This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE). All of these issues were reported to us through coordinated disclosure and we have no reports of these issues being exploited. As with our other top-priority bulletins, we encourage customers to test and deploy this update as soon as possible.

Of the remaining six bulletins, two are also rated as critical: one addressing issues affecting the Remote Desktop Protocol and the other affecting Exchange Server. The remaining four bulletins are all Important-class issues touching on Windows and Office.

Security Update Re-release
Last month, we published MS12-043 to address issues affecting Microsoft XML Core Services. The July release provided updates for Microsoft XML Core Services 3.0, 4.0, and 6.0. This month, we are re-releasing MS12-043 with additional updates for Microsoft XML Core Services 5.0. This re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

Please watch the video below for an overview of this month's bulletins and you can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view)

 

Our risk and impact graph provides an aggregate view of this month's severity and exploitability index (click for larger view). For insightful details about the Exploitability Index and additional bulletin nuances, please see the Security Research & Defense (SRD) blog.

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page. Thanks for reading and join us tomorrow (Wednesday, August 15, 2012) at 11 a.m. PDT for a live webcast with Jonathan Ness and Dustin Childs, who will be sharing greater details about these bulletins and our other announcements this month. As always, they will be answering bulletin-related questions live during the webcast. You may register for that one-hour event here.

Yunsun Wee
Microsoft
Trustworthy Computing