Last evening Microsoft released seven security updates , three and four classified as major critics. The Patch Tuesday in June is one of the most important this year, as well as correcting 26 vulnerabilities, the Redmond company has introduced a new system for automatic updating of the list of certificates.
The malware Flame , as you recall, just uses a fake certificate to get into computers of unsuspecting users. The latter is of particular importance and underscores the urgency Ferardo Di Giacomo, head of Microsoft Security Response Center:
This new feature provides a mechanism that allows you to mark as invalid certificates. Windows, in fact, giornaliermente check for new certificates to be invalidated. Until now, the inclusion of certified nell’Untrusted Certificate Store required a manual update. This new automatic mechanism, which uses a list of invalid certificates called Disallowed Certificate Trust List (CTL), is documented in the Windows PKI blog . We encourage users to install this new feature as soon as possible.
The three critical bulletins concern Windows, Internet Explorer and. NET Framework.Microsoft recommends to give utmost priority to MS12-037 patch that fixes more than 13 vulnerabilities in all versions of the browser. An attacker could gain the same user rights, executing code remotely if you visit a site created ad-hoc. In second place there is a danger that the patch MS12-036 addresses a vulnerability in all versions of Windows. The last critical patch (MS12-038) is related to Microsoft. NET Framework and fixes a bug that could be exploited if the user visits a web page using a browser that does XAML applications.
The remaining four important updates regarding Microsoft Lync (four vulnerabilities addressed), Microsoft Dynamics AX Enterprise Portal (a vulnerability) and Windows operating systems (seven vulnerabilities). As mentioned, in addition to security bulletins have been issued a system to automatically update the ‘ Untrusted Certificate Storeon Windows Vista and Windows 7. The new feature allows you to revoke invalid certificates through a list called Disallowed Certificate Trust List. Windows will check daily for new certificates to be invalidated. Until now, the inclusion of certified nell’Untrusted Certificate Store required a manual update.
As of August, in addition, Microsoft will distribute an update that will invalidate all certificates with RSA keys smaller than 1024 bits , even if they are not expired and are signed by a Certification Authority recognized.