Certificate Trust List update and the June 2012 bulletins

For Update Tuesday we’re releasing seven security bulletins – three Critical-class and four Important – addressing 26 unique CVEs to further improve the security postures of Microsoft Windows, Internet Explorer, Dynamics AX, Microsoft Lync, and the Microsoft .NET Framework. In addition to the security bulletins, we are releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates.

This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted. With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately.

Adding to our defense-in-depth measures, in August, we will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority. We’re announcing this now to allow folks time to make needed adjustments. Further information on this change can be found on the PKI blog.

Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the following two Critical updates first:

MS12-037 (Internet Explorer): This security update addresses 13 issues affecting all supported versions of IE. The maximum severity for these issues is Critical and could result in remote code execution. To ensure protection all updates from this bulletin must be applied. We recommend that customers read through the bulletin information concerning MS12-037 and apply it as soon as possible.

MS12-036 (RDP): This security update addresses one Critical issue affecting all supported versions of Microsoft Windows that could result in remote code execution. Attack vectors for this issue include maliciously crafted websites and email. We recommend that customers read through the bulletin information concerning MS12-036 and apply it as soon as possible.

Please watch the video below for an overview of this month’s bulletins.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

We’re also issuing Security Advisory 2719615 today. It includes information on and mitigations for a recently disclosed Remote Code Execution issue involving MSXML Core Services, which is part of Windows and other products. Our investigation is still underway, but we have already developed an effective workaround that stops would-be attackers from taking advantage of the issue via Internet Explorer. We’re pleased to offer it as an easy-to-deploy, no-reboot-required Fix it in Security Advisory 2719615 for anyone who, after reading about the issue, believes they might be at risk.

Please join us tomorrow (Wednesday, June 13, 2012) at 11am PDT for a live webcast with Jonathan Ness and Dustin Childs, who will be going into greater detail about these bulletins and our other announcements this month. As always, they will be answering bulletin-related questions live during the webcast. You may register for that one-hour event here.


Angela Gunn
Trustworthy Computing.