h-online: On its September Patch Tuesday, Microsoft released two security updates that are rated as important and which close holes in Visual Studio Team Foundation Server 2010 (TFS) and Systems Management Server 2003 and 2007. Both updates fix cross-site scripting (XSS) vulnerabilities in the web interfaces that allow attackers to execute arbitrary code in the victim’s browser.
As the holes enable an attacker to access the web interfaces at the user’s privilege level, Microsoft has classified them as privilege escalation vulnerabilities. The company notes that, to its knowledge, neither of the holes is being actively exploited for attacks.
Microsoft has also published a number of other patches for Windows, Windows Server and the Malicious Software Removal Tool; it considers these to be non-security-related. The company notes that, unlike its other September updates, users may have to restart their computers after installing these. The updates include a new set of ActiveX kill bits to prevent vulnerable Cisco plugins running.
While this Patch Day has turned out to be moderate, the next one may have far-reaching consequences: in October, Microsoft will use Windows Update to deploy a patch that will invalidate any certificates with an RSA private key length of less than 1,024 bits. Those who manage infrastructures that use such certificates should, therefore, replace them with certificates whose private key has the required minimum length before then. NIST currently recommends an RSA key length of at least 2,048 bits.