The Hacker News
This week Microsoft has released several advisories to help their users update from weak crypto. Microsoft is beginning the process of discontinuing support for digital certificates that use the MD5 hashing algorithm and to improve the network-level authentication for the Remote Desktop Protocol.

Microsoft's optional updates:
  1. Microsoft Security Advisory 2661254: The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
  2. Microsoft Security Advisory 2862973: Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program.

They are available for testing now so that when they are automatically deployed in February 2014. "We plan to release this update broadly through Windows Update on February 11, 2014 after customers have a chance to assess the impact of this update and take necessary actions in their enterprise."

In June an update set the minimum key length of RSA keys to 1024 and this week these new updates announce to restrict the use of MD5 in digital certificates that are part of the Microsoft Root Program.

"These updates are meant to enhance customer privacy and security. Strong cryptography improves the functionality of signing features which allow users to validate the source and trustworthiness of the content. It also improves the functionality of the underlying cryptography algorithms, increasing the cost of attacker efforts to perform content spoofing, man-in-the-middle (MiTM), and phishing attacks."

The MD5 cryptographic hash function has long been considered insecure for use in SSL certificates and digital signatures. "Microsoft seems to be going after less secure encryption techniques, and that's a good thing for Microsoft to start eliminating them from the landscape, especially MD5," said Lamar Bailey, director at Tripwire.

In 2008, a team of security researchers demonstrated a practical attack that involved exploiting a known MD5 weakness to generate a rogue CA certificate trusted by all browsers. "Usage of the MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," Microsoft said.

Microsoft recommends that customers download, test, and apply the update at the earliest opportunity.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.