Patch Tuesday: Microsoft restricts RSA tokens with 1024-bit encryption

Microsoft is starting to limit the use of lower levels of encryptions in a bid to tighten up Windows security

Microsoft is hardening security certificates as part of this month’s Patch Tuesday update, which includes nine fixes.

In the Microsoft TechNet security blog, Yunsun Wee, director of Microsoft Trustworthy Computing wrote: “Today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1,024 bits in length.”

As Computer Weekly has previously reported, security researchers have demonstrated how relatively low-cost graphics processors could be used to crack strong encryption. 

Two years ago, Swedish researchers published a paper stating that while 1,024-bit encryption is 1,000 times harder to break than 768-bit codes, within four to five years 1,024-bit encryption would need to be phased out.

The latest update includes four fixes for Internet Explorer (IE). 

Ziv Mador, director of security research at Trustwave SpiderLabs, said users who do not want to download the IE patch can limit their risk to this attack by setting their security zone to "high" to block ActiveX Controls and by adding trusted sites to the IE Trusted Sites.

Another patch in the August update fixes a bug relating to document handling.

“MS12-060 addresses a vulnerability in Windows Common Controls that could lead to remote execution," said Jason Miller, research and development manager at VMware. 

"If a user opens a malicious RTF document on an unpatched system, an attacker can gain complete access to the system. RTF documents as attachments are common. In addition, most email security software does not block these types of attachments due to how commonly they are used,” he warned.

Image: Hemera/Thinkstock

Read more on Microsoft Windows software