Microsoft’s continuing work on digital certificates
On systems where this hardening package is installed, those certificates using the RSA algorithm with key length less than 1024 bits will be treated as invalid, even if they are otherwise valid and signed by a trusted certificate authority. We will deploy this update via our usual update channels for all supported versions of Windows as a Critical non-security update.
We encourage WSUS administrators to approve and deploy that update when we release it in August, to proactively harden your environment against brute force cryptographic attacks. All customers who have opted into Automatic Updates will get the update according to your Automatic Update settings. You can read more about this hardening at the PKI blog post originally published in June: http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
Finally, we are making one further proactive change today that will help us respond more quickly to any digital certificate issues in the future. Last month, we announced the availability of a new automatic updater of untrusted certificates for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This new feature provides dynamic updates, allowing Windows clients to be updated with untrusted certificates once per day without requiring user interaction. You can read more about the feature in the PKI blog post previously mentioned and in KB 2677070. This new feature had been available as an optional update available through Windows Update. We are changing the Windows Update metadata today to make this automatic updater available as a Critical non-security update, enabling it to be automatically deployed to all customers who have opted-in to Automatic Updates (according to your AU settings) and to appear as a Critical update in WSUS dashboards. This automatic updater is the fastest way for customers on Windows Vista and later platforms to get untrusted digital certificate updates such as the one included in Security Advisory 2728973 mentioned above. Customers on Windows Vista and later platforms who have not yet installed this new feature can deploy untrusted certificate updates through WSUS or from the Download Center. Windows XP and Windows Server 2003 computers will continue to receive Untrusted Certificate Store updates via Windows Update – although Security Advisory 2728973 has an installation pre-requisite to which customers using Windows XP and Windows Server 2003 should pay special attention (described in the FAQ).
We will continue to monitor the threat landscape and take action where we believe we can strengthen the security of Microsoft’s handling or use of public key-based encryption technologies.