Executive Summary

Summary
Title Updates to Improve Cryptography and Digital Certificate Handling in Windows
Informations
Name KB2854544 First vendor Publication 2013-06-11
Vendor Microsoft Last vendor Modification 2013-11-12
Severity (Vendor) N/A Revision 1.3

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is announcing the availability of updates as part of ongoing efforts to improve cryptography and digital certificate handling in Windows. Microsoft will continue to announce additional updates via this advisory, all aimed at bolstering the Windows cryptography and certificate handling infrastructure in response to an evolving threat environment.

Available Updates and Release Notes

The update released on November 12, 2013:

  • Microsoft released an update (2868725) for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT to address known weaknesses in RC4. The update is offered via automatic updating and through the Microsoft Update service for all affected software. The update is also available on the Download Center as well as the Microsoft Update Catalog for all affected software except Windows RT. The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default. After applying the update, Microsoft recommends that customers test any new settings for disabling RC4 prior to implementing them in their environments. For more information, see Microsoft Security Advisory 2868725.
  • Microsoft announced a policy change to the Microsoft Root Certificate Program for the deprecation of the SHA-1 hashing algorithm in X.509 digital certificates. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Microsoft recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. For more information, see Microsoft Security Advisory 2880823.

The updates released on August 13, 2013:

  • Microsoft released an update (2862966) for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT. The update is offered via automatic updating and through the Microsoft Update service for all affected software. The update is also available on the Download Center as well as the Microsoft Update Catalog for all affected software except for Windows RT. The update provides a framework to help improve management of certificates that use specific cryptographic and hashing algorithms in Microsoft Windows. This update does not restrict the use of certificates by itself, but may be a prerequisite for later updates that do restrict the use of certificates. For more information and for currently known issues that customers may experience when installing this update, see Microsoft Knowledge Base Article 2862966.
  • Microsoft released an update (2862973) for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT. At this time the update is available only from the Download Center and the Microsoft Update Catalog for all affected software except for Windows RT. The update restricts the use of certificates with MD5 hashes. For more information, see Microsoft Security Advisory 2862973. The 2862966 update is a prerequisite for this update.

The update released on June 11, 2013:

  • Microsoft released an update (2813430) for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT. The update is available on the Download Center as well as the Microsoft Update Catalog for all affected software except for Windows RT. It is also offered via automatic updating and through the Microsoft Update service. The update for Windows RT is available via Windows Update. The update enables administrators to update trusted and disallowed CTLs without having access to the Windows Update site. For more information, see Microsoft Knowledge Base Article 2813430.

Frequently Asked Questions

What is a Certificate Trust List (CTL)?
A trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message decides if the issuer of the signer's certificate is trustworthy. CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a certificate trust list (CTL). For more information, please see the MSDN article, Certificate Trust Verification.

What is a digital certificate?
In public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is an electronic credential used to certify the online identities of individuals, organizations, and computers. Digital certificates contain a public key packaged together with information about it - who owns it, what it can be used for, when it expires, and so forth.

What is the purpose of a digital certificate?
Digital certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally you won't have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In such cases you should follow the instructions in the message.

What is a certification authority (CA)?
Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2854544.mspx

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2014-02-17 11:38:42
  • Multiple Updates
2013-11-12 21:23:42
  • Multiple Updates
2013-11-12 21:19:23
  • Multiple Updates
2013-09-18 17:10:42
  • Multiple Updates
2013-06-11 21:18:19
  • First insertion