Microsoft is planning a relatively quiet release for Patch Tuesday with just a pair of security updates in tow next week.
Both security bulletins - which will be available Sept. 11 - address privilege escalation issues and are rated 'Important.' According to Microsoft, one of the bulletins is focused on Microsoft Developer Tools, while the other is focused on Microsoft Server Software. Bulletin one requires Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 be installed, so this is a relatively small target pool, opined Alex Horan, senior product manager at CORE Security.
"Bulletin Two requires Microsoft Systems Management Server 2003 Service Pack 3 or Microsoft System Center Configuration Manager 2007 Service Pack 2 be installed," he said. "An outside attacker would have no idea if those packages will be installed on the system they attack, but the odds are not high."
"In general, this month’s Patch Tuesday should be a breeze," he added. "Both bulletins are privilege escalation vulnerabilities, meaning the attacker has to already have a foothold on the system to leverage them. The reason these are important, though, is that through a client-side attack or drive-by download, an attacker could gain a foothold on a user’s machine."
The lightweight security update could be the calm before the storm for some organizations, argued Marcus Carey, security researcher at Rapid7, given Microsoft's plans to release an update next month through Windows Update that will increase the requirements for certificates. The update was initially made available in August via the Download Center.
"While there are only two bulletins, this could still be a busy month for organizations since Microsoft will be issuing an update next month that will deprecate the use of certificates that are less than 1024 bit encrypted," he told SecurityWeek. "Microsoft will definitely push this update out in October. The light patch month in September will allow organizations to prepare for this, which is great as it has a potential to break things if applications are still using outdated certificates. It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."
For those who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length, blogged Angela Gunn of Microsoft's Trustworthy Computing Group.
"We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organization is aware of and prepared to resolve any known issues prior to October," she wrote.