Patch Tuesday September 2011 – Important News

It’s Microsoft Patch Tuesday for September 2011

The big news this month is not Microsoft’s official monthly patch release. In fact, during the last couple weeks, Windows has not been the main source of security problems. At least not directly. The internet security problems of the last few weeks seem to affect everyone. Linux and Mac OS Lion have had some potentially more serious problems this time. Most browsers have been updated as well recently. Adobe will have an update soon too. Still, it’s time to update Windows.

Here is a video on updating Windows XP

[mc src=”http://www.youtube.com/watch?v=2coTJHY8O-8″ type=”youtube”]Howe To Update Windows XP[/mc]

As far as Patch Tuesday Microsoft releases go, this month is very minor.

Window Update
This is what Window Update looks like in the start menu

My Windows 7 computers had only 3-4 updates. I saw similar numbers on Windows XP computers except one that had nearly 12 updates (it has a lot of other Microsoft products on it in addition to Microsoft Office). You may have an optional update available for .NET 4.x. The .NET updates took the longest (they often take the longest and also seem to be the updates that fail sometimes).

The important Microsoft Update  was an out of band patch Microsoft pushed out last week.

Last week, Microsoft pushed an out of band patch that updated how Windows (Internet Explorer in particular) handles digital certificates. Mainly, Microsoft has blacklisted all digital certificates from Diginotar. Nearly all other browsers and operating systems have done the same (make sure you have updates on your browsers and operating system this week too!).

This is due to the Diginotar hack discovered recently.

What is a certificate and what does Diginotar have to do with your internet?

Certificates are a way for a site to prove to your computer that it is the real site. When you see the padlock icon in your browser or the https in the address, it means that your browser has check to make sure that you are connected and/or have an encrypted connection to the real site. You can be reasonably safe knowing that you’re connected to your bank’s website and no one can intercept and read the data between you and the bank’s website. The bank sends a code (the certificate) to your browser and your browser compares that certificate to a code it receives from a “trusted certificate authority.” Only certain places are approved to be certificate authorities and can provide a certificate to a website (the site has to purchase it too).

It has been discovered that Diginotar, one of these authorities was compromised and false certificates were issued for several popular sites.

Google.com was the one that caught everyone’s attention but now literally hundreds of false certificates for well know sites were issued including some wildcard “*” certificates.  It is known that some of these were accessed by users thousands of times. Nearly all these users affected were from addresses in Iran leading some to think the Iranian government may be behind it. If you have been to Iran you need to change all your passwords.

This was all due to poor security at Diginotar.

The original compromise was a weak administrator password. That password was also used to gain access to other accounts. This is why you need strong passwords and should not use the same password for another account. Diginotar also had other terrible security problems. For instance, their website was fixed with a backup of the website that had also been hacked back in 2009. Diginotar as a company will probably cease to exist. All due to a weak password. They should have read this site.  :-) Of course, maybe they do and like so many, fail to use the advice.

Because of Diginotar’s bad security all browsers and operating systems have had to cancel or blacklist certificates by Diginotar. This is a big problem for the Netherlands where the government has been using Diginotar’s certificates and working to make personal online digital signatures a reality with them.

Mac OS Lion had some problems.

Some security pros have noted that Mac OS Lion has not correctly cancelled certificates from Diginotar. Apple has released a patch for it late last week.

Adobe is also reading updates related to Diginotar.

Adobe Reader X
Adobe Reader X

Some of Adobe’s products use certificates. Adobe Reader uses digital certificates to prove authenticity of PDF’s. There are updates for Adobe Reader and Adobe Acrobat out. You can update by downloading from Adobe.com or update from the help menu in Reader.

Now for Linux’s problems.

Kernel.org was hacked. Kernel.org is the home for the heart of Linux, Linux OS kernel. It also looks like a weak password was the problem. I read that the user with the bad (a very obvious one) password may have been Linus Torvalds the creator of Linux himself. That could just be a rumor though. Fortunately, the Linux code itself was not interfered (there was a lot of checking to make sure). Also, linux.org was also hacked. No OS files are distributed from linux.org so no real worries once everything was restored.

So for this month, the Windows part of Patch Tuesday is an easy one. It’s everything else that also needs to be updated.