Over the last several months I, along with Head Geek and Microsoft MVP LGarvin, have written several posts on thwack about a recent Microsoft patch for all supported Windows versions prior to Windows 8 and Windows Server 2012. This patch invalidates all certificates that use encryption keys of fewer than 1024 bits. Most (if not all) of our previous posts were geared toward Patch Manager users and the general Microsoft patching community, but it's recently become apparent that the patch is affecting the greater IT community at large. For example, if you manage a VMware environment, you might not be able to access VCenter in your web browser after applying the patch. Here's a link to the VMware article about the Microsoft patch.

 

About the Microsoft Patch

The patch, KB2661254 is a critical update for computers running the following operating systems:

  • Windows XP Service Pack 3
  • Windows Server 2003 Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1
  • Windows 7
  • Windows 7 Service Pack 1

 

Microsoft released the patch to Windows Update on October 9, 2012. This means, if your environment has any automatic approval rules in place for critical updates from Microsoft, many of your systems already have the patch installed. In that case, none of your patched systems will be able to access secure web sites or allow other SSL connections if the certificate used for the secure connection is not 1024 bits or greater.

 

What to do About the Microsoft Patch?

Many vendors, SolarWinds and otherwise, have already updated their products to use certificates that comply with the Microsoft Patch by default. For example, SolarWinds Patch Manager now installs with a 2048-bit certificate instead of the 512-bit certificate it used previously. The reason vendors have responded so quickly (Patch Manager responded back in August) is because the patch came about as a response to the so-called "Flame fiasco," which "exploits a defect in the Microsoft Terminal Server Licensing Services application that generates licensing certificates for Terminal Services clients," ultimately resulting in compromised Windows Update Agents.

 

That said, you should use caution before applying the patch to ensure you do not break communications in your environment unwittingly. The Microsoft article for KB2661254 provides an detailed section on how to discover RSA certificates with key lengths of less than 1024 bits. It would be wise to use one of the methods described therein if you plan to deploy the patch, especially if some systems are already patched.

 

For additional information about KB2661254, check out the following resources on Microsoft TechNet: