Why I'm ignoring my W7 warning messages and other Microsoft Patch Tuesday news

Microsoft will issue five patches to five 15 holes, none critical while the world deals with the SSL certificate mess.

On Tuesday, Microsoft will release five updates to fix 15 vulnerabilities, none critical, as part of its routine Patch Tuesday security patches. "A welcome break from Microsoft while we deal with the growing SSL Certificate Issues," says Paul Henry, security and forensic analyst for Lumension. He extends a hearty thank you to Microsoft, though in truth Microsoft is following its usual pattern of a alternating light/heavy Patch Tuesdays. August was a big month in which Microsoft released 13 bulletins that fixed 22 vulnerabilities, two critical.

The patches will fix holes in Windows, Excel, SharePoint Server and Groove. Henry summarizes the patches as follows:

Bulletin 1 Important – Elevation of Privilege impacting Microsoft Windows 2003 and 2008
Bulletin 2 Important – Remote code execution impacting Microsoft Windows all platforms
Bulletin 3 Important - Remote code execution impacting Microsoft Office (including Mac) / Microsoft Server
Bulletin 4 Important - Remote code execution impacting Microsoft Office
Bulletin 5 Important - Elevation of Privilege impacting Microsoft Office / Microsoft Server

While the light Patch Tuesday may not be a gift from Microsoft, it is still a relief as IT professionals work on updating their own server certificates via the updates Microsoft released earlier this week. These revoke all DigiNotar certificates and others that are sub-CAs to DigiNotar, like Koninklijke Notariele Beroepsorganisatie CA and Stichting TTP Infos CA.

The hacked certificate mess promises to grow uglier, too. On Thursday, the hacker who claimed responsibility, he calls himself "Comodohacker," declared that he had also penetrated the networks of StartCom, an Israeli CA, and U.S.-based GlobalSign.

Sigh.

While Microsoft customers were worried that the faked certificates could lead the bad guys to distribute malware through faked Windows Update services, Microsoft reassured its customers that this isn't possible. "Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."

I, for one, am reassured. But still, when I noticed on Wednesday a warning note from my Windows 7 Action Center telling me I had to solve two PC issues, I was surprised. One of them told me I needed to address a problem with Office. I wasn't having any problems with Microsoft Office.

Click to enlarge image.

The other one told me I needed to fix a problem with Skype (again ... having no problems with it) and gave me a URL to click where I could read the Skype's Knowledge Base article.

Ok, I'm not seriously suggesting that the certificate mess is responsible for these warning notes from Action Center. All the same, I think I'll wait until Microsoft, Mozilla, Google and the other white hats have stopped Comodohacker before I click on those links ...

• Microsoft
• Security
• DigiNotar
• Microsoft security
• Patch Tuesday
• SSL certificates