We have our work cut out for us this Patch Tuesday. A missing piece of information in code-signing certificates means that many of the updates we’ve already installed will be reoffered.
What started out as a relatively mild Patch Tuesday has suddenly turned severe — and Microsoft indicates this might not be the last of it.
Security certificates will expire prematurely
As reported in a Microsoft Security Research & Defense blog, numerous MS digital certificates released in the past few months have faulty timestamp attributes. The error code will cause the certificates to expire too soon. The good news is that this debacle is not a security threat. Without an update, however, you might run into problems with future MS software patches. According to the blog, the correctly re-signed updates are MS12-053 through MS12-058 (more on these updates below).
Here’s a bit of history on this problem. Between June 12 and Aug. 14, a subset of binaries (translation: the files in some of the updates we received between June and August) had faulty digital signatures. A core component of the Windows security system, these signatures ensure that malware can’t enter your system via Microsoft Update or Windows Update.
The process resembles the words of that old children’s song: “The toe bone’s connected to the foot bone.” A code-signing server issues digital signatures to new software. With a valid code-signing key and timestamp, Windows knows that the software can be trusted and will install and/or run it. The software remains trusted until its timestamp expires. Unfortunately, in this case, the affected files will expire prematurely — within a few months.
As the SRD blog puts it, the “signing error involved the timestamp placed on each file as it was being signed. The certificate used for timestamping was missing a critical attribute that will cause the digital signature to become invalid at the point in the future when the package’s signing key has expired. Normally, the signing key is valid for a reasonably short amount of time, while the timestamp allows the binary to be trusted as ‘valid’ for a much longer period of time.”
What does that mean for us? Beginning this month and possibly well into the future, Microsoft will reissue updates released between June and August. In the meantime, installing update 2749655 will make Windows trust the flawed-timestamp updates until we’re able to add the fixes.