Patches for critical Word flaw, RSA key length, clerical timestamp code-signing error

There was a somewhat strange security update rolled out on Patch Tuesday, being that it does not address a security flaw, but rather a clerical timestamp error on binaries; this code-signing error will cause the digital signature on files produced and signed by Microsoft to expire and become invalid prematurely. Because “of the two known timestamping certificates that were missing the critical attribute,” Security Advisory 2749655 warns, “This issue could adversely impact the ability to properly install and uninstall affected Microsoft components and security updates.”

The signing error involved the timestamp placed on each file as it was being signed. The certificate used for timestamping was missing a critical attribute that will cause the digital signature to become invalid at the point in the future when the package’s signing key has expired. Normally, the signing key is valid for a reasonably short amount of time, while the timestamp allows the binary to be trusted as “valid” for a much longer period of time.

The Microsoft blog post does not give a date for when the improperly formed timestamps and signing keys will expire and no longer be trusted as valid. Instead, the article states, “For some of the affected files and packages, that signing key expiration date falls in the next few months.”

Such an unusual problem has been met with an equally unusual solution. Microsoft Security Research and Defense wrote:

In addition to re-signing and re-distributing the affected files, we are taking an unusual approach to address this issue at the platform layer. The Windows team has created a package with a modified WinVerifyTrust function that makes a special case of the two known timestamping certificates that were missing the critical attribute. This will enable WinVerifyTrust to continue trusting these files and packages while redistribution completes. This WinVerifyTrust package is available as a Critical-class update and will be distributed over Microsoft Update and via Automatic Updates.

It is important to note that while WinVerifyTrust is the most common place where this check takes place, there are a number of known and potential points where trust may be verified by a third party (such as anti-malware software or software distribution solutions). If the vendor has not made a similar change to their trust model, these files or packages will fail validation.

Since this is a special case scenario, the post further attempts to put the “platform-level change into context” by explaining the three-step process of how WinVerifyTrust validates code-signing signatures. At that point, the blog mentions “when these signing keys start to expire early next year, WinVerifyTrust will start examining the timestamp on these files and packages.” Although a concrete date is never mentioned, yet seems to imply January 2013, the point is apparently to fix this as updates are released to prevent Windows chaos when the signing keys do expire. Microsoft said, “We encourage all customers to apply the re-released, re-signed security updates as they become available. “

Microsoft released seven bulletins and two security advisories this month. The only “critical” bulletin released on Tuesday (MS12-064) addresses a remote code execution vulnerability in Microsoft Word that an attacker could exploit by sending a tainted Rich Text Format (RTF) file. If a user opens a malicious RTF file attachment, or previews a rich text email in Outlook with Word set as the default viewer, then a user’s machine could potentially get infected just by looking at the email.

Andrew Storms, director of security operations at nCircle Security, said, “Word is set as the editor for Outlook, so if you preview [a malicious RTF document], boom … you’ve been hacked.” Microsoft added it is “likely to see reliable exploits developed within the next 30 days.” While this update should be applied as soon as possible, it may require a restart.

Both the vulnerabilities in SafeHTML (MS12-066) and FAST Search Server for Sharepoint (MS12-067) are “likely to see reliable exploits developed within the next 30 days.” Regarding SafeHTML, Microsoft said, “We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services.”

Microsoft pushed out the update for requiring digital certificates to support an RSA key length of at least 1024 bits (Security Advisory 2661254). This plan to invalidate certificates with keys shorter than 1024 bits long was announced in June, triggered by the discovery of the Flame espionage malware. Users previously had an option to apply the update to disable certificates with shorter and more vulnerable keys, or to block it via WSUS (Windows Server Update Services). As of October Patch Tuesday, “Microsoft is forcing it on everyone.” Storms said, “It will be applied unless you stop it.” According to Microsoft, “The automatic update will be Microsoft’s final step in this effort to help customers strengthen their certificates.”

Lastly, for Windows Server 2008, Microsoft has extended “mainstream support” by 18 months, meaning security fixes, feature updates and general fixes will still be free.

Like this? Here’s more posts:

• Time to disable Java AGAIN: 1 billion at risk from newest critical Java bug
• Feds Warn of Zombie Apocalypse! Buy emergency kit, but you might be a terrorist if…
• Senate report: Fusion centers don’t find terrorists, filled with ‘crap’ that violates privacy
• Smartphone snoop: Even when phone sleeps, digital assistant always eavesdrops
• Facebook Want Button: Collecting massive amounts of data about you has never been easier
• ‘We will find you’ marketing gone wild: Candy bars that guarantee stalkers
• Microsoft: Companies should pay Uncle Sam $10k per H-1B Visa to hire skilled foreigners
• Lock picking hotel rooms like James Bond
• Griefers, not rapture, make thousands of World of Warcraft players drop dead
• Surveillance State: From Inside Secret FBI Terrorist Screening Room to TrapWire Training

Follow me on Twitter @PrivacyFanatic