Microsoft announced this time last week that it would release eight security bulletins, three of which are labeled as Critical. These patches were released on time as part of the company’s Patch Tuesday update cycle for August.
But the software titan released two additional security patches, outside the eight bulletins that are available via its automatic update service. These two are actually optional downloads.
Microsoft’s security bulletin describes the first one as a way to restrict the use of certificates with MD5 hashes in most versions of Windows including Vista, Windows 7, Windows 8, and Windows RT:
“This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”
Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 users are also recommended to download and test this patch to make sure it works on their systems. Microsoft plans to push this update via the Automatic Download service in February 2014.
The second update was detailed in a separate notification. This one is supposed to provide additional defense-in-depth measures for Remote Desktop Protocol Network Level Authentication.
Overly technical, but overly interesting, nevertheless!
This time, the patch is aimed at Windows Vista, Windows 7, and older Server platforms — meaning Windows 8, RT and Windows Server 2012 users will not see the update.