Fixlet Request for Microsoft Security Advisory: 2916652 & 2905247
Will fixlets be provided for Microsoft Security Advisory 2916652: Improperly Issued Digital Certificates Could Allow Spoofing (December 9, 2013) and Microsoft Security Advisory 2905247: UInsecure ASP.NET Site Configuration Could Allow Elevation of Privilege (December 10, 2013).
Microsoft Security Advisory 2916652
Summary:
Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.
The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.
Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects all supported versions of Microsoft .NET Framework except .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.
http://technet.microsoft.com/en-us/security/advisory/2916652
has released an alternative to KB2677070. The automatic updater does not apply to Secure networks but servers like Server 2003 or 2008 R2 are still held to Compliance. I see that KB2917500 (Fixlet ID: 291750001) is available but it’s only for Windows XP. Is there a way to have fixlets available for Windows Server 2003 & 2008R2, as indicated in the revision statement: “…2917500 update for customers running Windows XP
or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates
…” We have applied KB2677070 but the mentioned Certificate is not updated because of a Secure Network scenario. This may be overkill but if firewalls are ever breached or Internet Connectivity is established, the servers are still protected to some degree.
V2.0 (December 12, 2013): Advisory revised to announce the availability of the 2917500 update for customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates. The 2917500 update is available via the Microsoft Update service and from the download center. For more information, see the Suggested Actions section of this advisory.
I’ve attached a screenshot of an email Notification from our WSUS server showing the availability of KB2917500 for Windows 2003 & Windows 2008R2