Microsoft patches a critical hole in XML Core Services
On its July Patch Tuesday, Microsoft released nine security updates to fix a total of 16 vulnerabilities in Windows (XP SP3 and later), Office, Internet Explorer, Visual Basic for Applications and Sharepoint Server. Three of the updates close critical holes, among them an XML Core Services vulnerability that has been actively exploited for over a month.
The hole allows malicious code to be executed – for example when users visit a specially crafted web page with Internet Explorer. However, the hole can also become a problem in connection with Office 2003 and 2007. The second "critical" update closes two holes in Internet Explorer 9 that can also lead to malware infections when surfing the internet.
The third update fixes a critical vulnerability in Microsoft Data Access Components, a program that is included in all currently supported versions of Windows (XP SP3 and later). The hole can lead to a buffer overflow on the heap and enable attackers to inject malicious code when this software accesses an object in memory that has been improperly initialised. Like the two IE holes, this vulnerability was privately reported to Microsoft; all three holes can be exploited remotely. The remaining six security updates should also be installed as soon as possible: Microsoft has rated their severity as "important". One update exclusively affects Microsoft Office 2011 for Mac OS X.
As a precautionary measure, the company has placed several of its CAs in the Untrusted Certificate Store because their private RSA keys are less than 1,024 bits long. This key length is considered a problem – the increasing computing power of modern machines reduces the amount of time that is required to calculate the matching private key from a public key. The current safe key length is 2,048 bits. Starting in August, Windows will no longer trust any certificates that were issued by a CA that uses 1,024-bit RSA keys – even if the certificates are still valid and were issued by a trusted CA.
Update 11-07-12: A previous version of this article incorrectly stated that Microsoft would rescind the trust in private RSA keys that are 1,024 bits long, when the keys in question are actually ones that are shorter than 1,024 bits.