Microsoft updated Windows where it can restrict the use of any certificates with RSA keys less than 1024 bits in length.
The reason for the change, Microsoft said, is it is possible to crack weak certificates with keys less than 1024 bits with few resources in a rather short amount of time and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
A user can download the update through the Microsoft Download Center as well as the Microsoft Update Catalog, and is available for all currently supported releases of the Windows operating system.
Microsoft said it would release the update through Microsoft Update in October “after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.”
Microsoft suggests customers download the update and assess the impact of blocking certificates with RSA keys less than 1024 bits in length before applying the update across their enterprise. The reason is there are several known issues associated with the update that could disrupt operations.
First, a users will need to restart the system after applying the update, so that is something to keep in mind when updating systems for which even minimal downtime could disrupt operations. Other issues include possible problems with Outlook being able encrypt email using weaker certificates, as well as Internet Explorer not being allowed to access websites secured using an RSA certificate with key length of less than 1024 bits.
The issues of weaknesses in certificates was highlighted during the investigation of the Flame attacks, when it was discovered that components of the complex malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. Those certificates were subsequently used in combination with a man-in-the-middle attack to hijack the Windows Update mechanism and propagate the malware on a local network.
In June, Microsoft revoked trust in the certificate authorities at the center of the Flame attacks and updated the Windows Update mechanism to only trust files signed by the new certificate used exclusively to protect updates to the Windows Update client.
While Microsoft suffered a compromise in this case, enterprises should take note and realize their IT infrastructure could be at risk to similar style attacks.