Woody Leonhard's no-bull news, tips and help for Windows and Office
RSS icon Email icon Home icon
  • When is a security cert not a security cert?

    Posted on June 4th, 2012 at 21:21 woody 4 comments

    When it’s a Microsoft security cert, of course.

    Microsoft just sent an out-of-band patch down the Automatic Update chute. It plugs one of the (many) holes used by the “Flame” malware.

    While I figure none of you are susceptible to Flame – the whole thing’s been overblown – you may be susceptible if some cretin figures out how to use the security certificate signing technique to generate a different cert.

    Microsoft has details in Security Advisory 2718704 . Brian Krebs has an excellent synopsis on his site.

    I’m about to change the MS-DEFCON level to 4. This patch is good incentive.

     

    4 responses to “When is a security cert not a security cert?”

    1. When I went out to get this and other MS Updates, my Win 8 CP and Win XP installations (different laptops)reported that they could not make an Internet Connection through the Windows Updates mechanism. In both laptops, IE (8 and 10) also reported that IE could not connect with the MS Updates site.

      Certificate issues?

      Well, Win 7 HP on the same laptop where Win 8 CP couldn’t connect with MS Updates, did a perfect job of the entire MS Updates routine, from the normal updates mechanism. And IE 9 in there did not complain about going to the MS Updates site.

      Weird.

      I got the XP machine updates going by using Firefox with IE Tab and telling NoScript to allow the MS Updates Site. My portal for triggering the launching of this updates scheme is through the MSE 4 Help Menu. Works perfectly now, after telling NoScript to allow the updates site.

      Win 8 CP needed to have BITS and WUAUSERV services shut down (Cmd prompt). Then when I restarted Win 8 CP, all was well again. Again, weird.

      Anyone else have trouble making the initial connection to get this update?

    2. For what it is worth, after getting the go ahead to patch, I used MS’s Windows Updates to
      download and install all the updates presented to me in the usual manner; 13 in all, including 2718704, and 3 .NET holdovers.
      No problems doing the installs or so far.
      I have Win XP SP3 with no 3rd party add ons, etc.

    3. Looks like it was just my computers then. Or my Internet Connection for a couple of hours.

    4. drat woody. obtaining the KB2718704 updates at Microsoft Download Center requires Validating Windows. a minor setback that I’ll easily overcome since I’m using pre-installed genuine Vista 32bit and Win7 64bit OSes on two different computers.

    Leave a reply