Executive Summary
Summary | |
---|---|
Title | Compatibility Issues Affecting Signed Microsoft Binaries |
Informations | |||
---|---|---|---|
Name | KB2749655 | First vendor Publication | 2012-10-09 |
Vendor | Microsoft | Last vendor Modification | 2012-12-11 |
Severity (Vendor) | N/A | Revision | 2.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes. These digital certificates were later used to sign some Microsoft core components and software binaries. This could cause compatibility issues between affected binaries and Microsoft Windows. While this is not a security issue, because the digital signature on files produced and signed by Microsoft will expire prematurely, this issue could adversely impact the ability to properly install and uninstall affected Microsoft components and security updates. As a pre-emptive action to assist customers, Microsoft is providing a non-security update for supported releases of Microsoft Windows. This update helps to ensure compatibility between Microsoft Windows and affected software binaries. For more information about the update, please see Microsoft Knowledge Base Article 2749655. In addition, Microsoft is providing updates as they become available for products affected by this issue. These updates may be provided as part of rereleased updates, or included in other software updates, depending on customer needs. Recommendation. Microsoft recommends that customers apply the KB2749655 update and any rereleased updates addressing this issue immediately, either by using update management software or by checking for updates using the Microsoft Update service. Please see the List of available rereleases and the Suggested Actions sections of this advisory for more information. In some cases, to best meet customer needs, Microsoft is addressing this issue by rereleasing affected updates. Note regarding the impact of not installing a rereleased update For more information about this issue, see the following references: The update associated with this advisory applies to the following software. Where are the updates for Windows 8 and Windows Server 2012? What is the scope of the advisory? As a pre-emptive action to assist customers, Microsoft is providing a non-security update for supported releases of Microsoft Windows. This update helps to ensure compatibility between Microsoft Windows and affected software binaries. Is this a security vulnerability that requires Microsoft to issue a security update? This is a security advisory about a non-security update. Isnt that a contradiction? Microsoft is issuing an update for this component to improve long-term stability and compatibility for software and components that use the Windows Authenticode Signature Verification function. What causes this issue? What does this update do? If Microsoft is releasing a non-security update addressing this issue, why is Microsoft also re-releasing bulletins? What is the impact of not installing this update? When will the affected code-signing certificates expire? How are timestamp Enhanced Key Usage (EKU) extensions used? What is a digital certificate? Does this issue represent the compromise of the affected certificates? What is the Windows Authenticode Signature Verification function? What impact does this issue have on developers? Apply the update for supported releases of Microsoft Windows The majority of customers have automatic updating enabled and will not need to take any action because the KB2749655 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install updates manually, Microsoft recommends that customers apply the KB2749655 update and any rereleased updates that address this issue immediately, either by using update management software or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2749655. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. For more information, see Microsoft Safety & Security Center. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2749655.mspx |
Alert History
Date | Informations |
---|---|
2012-12-11 21:20:01 |
|
2012-11-14 00:20:32 |
|