Microsoft has released several advisories to help their users update from weak crypto:
- Microsoft Security Advisory 2661254: “The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”
- Microsoft Security Advisory 2862973: “Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program.”
In June 2813430 set the minimum key length for RSA keys to 1024 and today 2862973 announces an update to restrict the use of MD5 in digital certificates that are part of the Microsoft Root Program.
The MD5 change will be pushed out through windows update on February 11, 2014 so consumers have time to get ready for this change. Weak Crypto is something we see way too often when scanning with IP360 so I applaud these changes.
Configuring crypto on the servers is not an easy task for sysadmins and requires editing the registry. Check out the instructions here http://technet.microsoft.com/library/64580d5a-7b33-4151-8fa9-9efcff0240ad
While they are not overly complicated instructions they are a little involved. Given the fact this is Windows can Microsoft give us a GUI for this? Even a stand alone app would work.
I am a big fan of Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) for windows that MS acquired for sysinternals years ago. How about a utility like this for Cyypto?
Crypto is important and it should be brain dead easy to edit and see what you have enabled.
- Brian Martin on Why Vulnerability Statistics Suck
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- What is Vulnerability Management Anyway?
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock
Categories: Vulnerability Management