In a brief blog post the Microsoft Exchange team has announced the re-release of the latest round of update rollups for Exchange Server.
Earlier today we re-released the following Rollup Updates. These updates address an issue in which digital signatures on files produced and signed by Microsoft will expire prematurely, as described in Microsoft Security Advisory 2749655.
I’ve spent some time today reading through the series of bulletins and blog posts from Microsoft about this issue, and fielding questions from people who are not sure exactly what they need to do about it.
It is important that you do not view this as an issue that only impacts Exchange Server. The digital signatures issue impacts a much wider range of Microsoft software, as explained by the Security Research & Defense team in this blog post.
All Microsoft security updates are code-signed by our Product Release and Security Services (PRSS) team. This central team also manages the code signing and release process for all production Microsoft software. Unfortunately, due to a clerical error, a subset of binaries processed by the PRSS lab between June 12, 2012 and August 14, 2012 were digitally signed in an incorrect manner.
What is the impact of the incorrect digital signature? Well one potential impact is that they next time up go to install an update (such as an Exchange update rollup) it may throw an error and fail to install because of the signature of the files already on your system.
Without a properly formed timestamp in place to extend the validity period, these binaries and packages will no longer be trusted as valid as soon as the signing key expires.
How soon might this start occurring?
For some of the affected files and packages, that signing key expiration date falls in the next few months.
There is a lot more information within that blog post as well as the Security Advisory 2749655, but here is my summary based on my interpretation of it all so far.
1. Microsoft is going to re-release any update that was affected by the code signing issue. The Exchange update rollups are an example of this.
We will re-sign and redistribute all files and packages affected by this issue.
2. Microsoft has released a patch that allows Windows and other Microsoft software to handle the invalid signatures.
- Microsoft Security Advisory: Compatibility issues affecting signed Microsoft binaries (aka WInVerifyTrust package)
3. Because the above patch only helps Microsoft software deal with the invalid signatures, it can’t guarantee that third party software that also checks for valid digital signatures on binaries will not continue to have a problem (antivirus software is one example).
In other words:
- Installing the WinVerifyTrust package alone mitigates the issue for Microsoft Windows and other Microsoft software
- Installing the re-released updates (such as the Exchange rollups) resolves the issue for all third party software as well
The clearest advice from Microsoft comes at the end of the SRD team blog post:
We encourage all customers to apply the re-released, re-signed security updates as they become available. As an additional defense-in-depth measure, we recommend that customers also apply the updated WinVerifyTrust package which serves as an effective way for Windows and Microsoft applications to extend the validity period of these packages beyond the premature expiration date. We should be clear that the re-released, re-signed security updates by themselves are sufficient to address the potential compatibility issue and the WinVerifyTrust package is not strictly necessary – it is offered as a defense-in-depth option to customers who want to ensure that this issue does not affect them between now and the time they apply the updated security updates.
Just to slightly complicate things, the re-released Exchange 2010 SP2 UR4 has an extra hotfix (2756987)thrown in as well.