Mini Patch Tuesday coming from Microsoft
Next week, the September Patch Tuesday for Microsoft will most likely see only two updates issued to close four holes. One update secures the Visual Studio Team Foundation Server 2010 and the other fixes Systems Management Server 2003 and 2007. The holes allow a logged-in user to get higher privileges (privilege escalation) and Microsoft classifies the fixes as important.
Administrators could be in for a more stressful October Patch Tuesday though, because from that point, Microsoft wants to distribute an already available patch for the Windows certificate infrastructure via Windows Update. The update ensures that, for Windows certificates where the RSA private key is shorter than 1024 bits, the certificate is declared invalid.
This can lead to a series of problems: error messages while browsing, problems with S/MIME secure mail transport, and issues installing signed Active/X controls. If certificates with short RSA keys are in use, users of such keys should switch to a certificate with a sufficiently long RSA key. This should prevent the potential symptoms of the October update appearing and will also provide additional security: if a private key is too short, it is foreseeable that it could be revealed by the public key in the future. As the developers of the Flame spyware showed, that is not a theoretical attack.