Microsoft will begin requiring digital certificates to support an RSA key length of at least 1024 bits today, in accordance with a security advisory being pushed through Windows Update.
The new requirement, which Microsoft has been preparing customers for since August, was part of the software company's October 2012 Patch Tuesday security updates. Microsoft also addressed an issue with signature timestamps on valid files and released seven bulletins covering 20 vulnerabilities in Microsoft Windows, SQL Server, and Office.
Users were first notified of the impending change in RSA key lengths in June, as part of Microsoft's response to the Flame malware kit. Security Advisory 2661254, published in August, provided further details of the change and notified users of an update that was made available in Microsoft's download center. Microsoft encouraged customers to apply the change early to work out any kinks before today's mandatory update.
Security update timestamp errors
Microsoft also announced that there was a clerical error in the digital signing of several recently released security updates. According to Security Advisory 2749655, certificates with improper timestamp attributes were used to sign Microsoft core components and software binaries. This error does not present a security issue, however it will cause the certificates to expire prematurely in January 2013.
"Microsoft is providing updates as they become available for products affected by this issue. These updates may be provided as part of rereleased updates, or included in other software updates, depending on customer needs," the security advisory read. The company has already begun rereleasing updates today, including KB723135, KB2705219 and KB2731847.
Wolfgang Kandek, CTO at Redwood City, Calif.-based Qualys Inc., said all of the updates should be rereleased by January.
Critical Microsoft Word security bulletin
Of the seven security bulletins released as part of Patch Tuesday, one was classed as "critical," while the remaining six were assigned a rating of "important." The critical bulletin, MS12-064, addresses vulnerabilities in Microsoft Word that could allow remote code execution.
To exploit the flaws, an attacker could send an email containing a malicious Rich Text Format (RTF) file.
"That's the one to apply as quickly as possible," Kandek said of MS12-064. "Under certain circumstances just looking at the email would get you infected."
Kandek added that it is important to apply this update because almost any system is open to the threat.
MS12-064 is rated critical for the newer versions of Microsoft Word, 2007 and 2010. The rating drops to important for Microsoft Word 2003, Microsoft Word Viewer, Microsoft Office Compatibility Pack, Microsoft Word Automation Services on Microsoft SharePoint Server 2010, and Microsoft Office Web Apps. Applying the update may require a restart.
MS12-065, the first important bulletin, fixes a vulnerability that could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works. The issue specifically affects Microsoft Works 9 and may require a restart, Microsoft said.
MS12-066 could allow elevation of privilege if an attacker sends specially crafted content to a user. The vulnerability appears in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps, specifically hindering Microsoft Communicator 2007 R2, Microsoft Groove Server 2010, Microsoft Office Web Apps 2010, and multiple versions of Microsoft SharePoint Server, Microsoft InfoPath and Microsoft Lync.
MS12-067 addresses vulnerabilities in FAST Search Server 2010 for SharePoint Parsing and could allow remote code execution. MS12-070 fixes an issue in SQL Server that could allow elevation of privilege. They both may require a restart.
MS12-068 could lead to elevation of privilege and affects all versions of Microsoft Windows except Windows 8 and Windows Server 2012. It requires a restart. MS12-069 also requires a restart and could lead to a denial of service. It addressed vulnerabilities in Windows 7 and Windows Server 2008 R2.