Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Hardens Windows Update, Preps 25 Security Fixes for Patch Tuesday

Microsoft plans to issue fixes for 25 security vulnerabilities in its upcoming June 2012 Patch Tuesday update.

Microsoft plans to issue fixes for 25 security vulnerabilities in its upcoming June 2012 Patch Tuesday update.

The fixes will spread across seven bulletins – three of which are critical – affecting vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics A, and the .NET Framework. The critical bulletins address issues in Windows, Internet Explorer and the .NET Framework. The remaining bulletins are classified as ‘Important.’

Wolfgang Kandek, CTO of Qualys, said users should focus on the three critical bulletins, Bulletin 4 – which deals with Microsoft Office – and the recent Microsoft update addressing the use of fraudulent Microsoft digital certificates.

“If you have not installed the update in Security Advisory 2718704 yet, you should plan on rolling it out as quickly as possible at least together with the other critical patches next week,” he said. “It is a simple patch that only removes the offending certificates from the system certificate store and will harden the OS against the expected use of the Flame signing technique by future Malware.”

The certificate issue came up during the ongoing investigation of the Flame attacks, when it was discovered components of Flame were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. Those certificates were then used in combination with a man-in-the-middle attack to utilize the Windows Update mechanism to propagate the malware on a local network.

Hardening Windows Update

In addition to revoking trust in the certificate authorities at the center of the attacks, Microsoft also pledged to harden the Windows Update mechanism to prevent other attackers from taking the same action.

“To attack systems using Windows Vista and above, a potential attacker would have needed access to the now invalid Terminal Server Licensing Service certificates and the ability to perform a sophisticated MD5 hash collision,” explained Mike Reavy, senior director at Microsoft Security Response Center. “On systems that pre-date Vista, an attack is possible without an MD5 hash collision. In either case, of course, an attacker must get his signed code onto the target system. This can be done if the client’s Automatic Update program receives the attacker’s signed package because such packages are trusted so long as they are signed with a Microsoft certificate. Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.”

Microsoft is addressing this issue in two ways. First, the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, the company said it is strengthening the communication channel used by Windows Update “in a similar way.”

The changes to the Windows Update and Windows Server Update Services will be rolled out during the next few days, Microsoft said.

The Patch Tuesday updates are slated for June 12.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.