exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2012-251A

Technical Cyber Security Alert 2012-251A
Posted Sep 8, 2012
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert 2012-251A - Microsoft has announced the availability of an update to Windows that restricts the use of certificates with RSA keys that are less than 1024 bits in length. Microsoft is planning to release this update through Microsoft Update in October 2012. System administrators of Microsoft Windows platforms should assess the impact of this update on their environment before any wide-scale deployment.

tags | advisory
systems | windows
SHA-256 | f90e4019d1f8d6e35376e69847442420d670c1addf9e1e61dab39db99b58fd35

Technical Cyber Security Alert 2012-251A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System

US-CERT Alert TA12-251A
Microsoft Update For Minimum Certificate Key Length

Original release date: September 07, 2012
Last revised: --

Systems Affected

* Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Server 2003 with SP2 for Itanium-based Systems
* Windows Vista Service Pack 2
* Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems Service Pack 2
* Windows Server 2008 for x64-based Systems Service Pack 2
* Windows Server 2008 for Itanium-based Systems Service Pack 2
* Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
* Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
* Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1
* Windows Server 2008 R2 for Itanium-based Systems
* Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
* Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
* Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
* Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)


Overview

Microsoft has announced the availability of an update to Windows
that restricts the use of certificates with RSA keys that are less
than 1024 bits in length. Microsoft is planning to release this
update through Microsoft Update in October 2012. System
administrators of Microsoft Windows platforms should assess the
impact of this update on their environment before any wide-scale
deployment.


Description

Microsoft's KB2661254 article states in part:

"The strength of public-key-based cryptographic algorithms is
determined by the time that it takes to derive the private key by
using brute-force methods. The algorithm is considered to be strong
enough when the time that it takes to derive private key is
prohibitive enough by using the computing power at disposal. The
threat landscape continues to evolve. Therefore, Microsoft is
further hardening the criteria for the RSA algorithm with key
lengths that are less than 1024 bits long.

After the update is applied, only certificate chains that are built
by using the CertGetCertificateChain function are affected. The
CryptoAPI builds a certificate trust chain and validates that chain
by using time validity, certificate revocation, and certificate
policies (such as intended purposes). The update implements an
additional check to make sure that no certificate in the chain has
an RSA key length of less than 1024 bits."


Impact

The private keys used in certificates with RSA keys that are less
than 1024 bits in length can be derived and could allow an attacker
to duplicate the certificates and use them fraudulently to spoof
content, perform phishing attacks, or perform man-in-the-middle
attacks.


Solution

US-CERT recommends that system administrators of Microsoft Windows
platforms read Microsoft's KB2661254 article and perform an
extensive test of the update before doing any wide-scale deployment
in their environment. The update will be sent to Microsoft Update
for the October 2012 patch cycle. System administrators can obtain
the update now from Microsoft's Download Center.


References

* Microsoft Security Advisory: Update for minimum certificate key
length
<http://support.microsoft.com/kb/2661254>

* Microsoft Security Advisory (2661254) Update For Minimum
Certificate Key Length
<http://technet.microsoft.com/en-us/security/advisory/2661254>

* Windows PKI Blog: RSA keys under 1024 bits are blocked
<http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx>

* Windows PKI Blog: Blocking RSA Keys less than 1024 bits (part 2)
<http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx>

* Microsoft Download Center: Search results for KB2661254
<http://www.microsoft.com/en-us/download/search.aspx?q=kb2661254>


Revision History

September 07, 2012: Initial release

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA12-251A Feedback VU#221532" in
the subject.
____________________________________________________________________

Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA12-251A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUEoR6HdnhE8Qi3ZhAQKMoggAn6DlhiX9DOd7ek2Q0WyqN8ZuRUjdclPy
5vPw+TUDzNSVdUrXGTxM1w/gVcNw7s58qpwv1dnJ/a7APgMV3NBZIfOJLjpepi1n
ArQfhxQ31H00PqYzpNwLbVcsazDqys4xLSsEHgRhqpdAkacX9I8saRy6X3FERuhR
KQiBNhr+0LuKGxLdMEbCDlfncF+RVWxjHkw08QczZPIHEDog8OM06OXQxLOwqbgy
sqJU2mKkOfDTNzVktLFDstoXtZNqcL8vQnVatQpzR/1X9dcsfgUdEwTGkLLzlB/T
xjuKTaMADbbWyKEycc9QV9eqF+LxPi3oMZcSZPehIIWe9VoVB9OgvA==
=9JKA
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close