This week Microsoft has released several advisories to help their users update from weak crypto. Microsoft is beginning the process of discontinuing support for digital certificates that use the MD5 hashing algorithm and to improve the network-level authentication for the Remote Desktop Protocol.
Microsoft's optional updates:
They are available for testing now so that when they are automatically deployed in February 2014. "We plan to release this update broadly through Windows Update on February 11, 2014 after customers have a chance to assess the impact of this update and take necessary actions in their enterprise."
In June an update set the minimum key length of RSA keys to 1024 and this week these new updates announce to restrict the use of MD5 in digital certificates that are part of the Microsoft Root Program.
"These updates are meant to enhance customer privacy and security. Strong cryptography improves the functionality of signing features which allow users to validate the source and trustworthiness of the content. It also improves the functionality of the underlying cryptography algorithms, increasing the cost of attacker efforts to perform content spoofing, man-in-the-middle (MiTM), and phishing attacks."
The MD5 cryptographic hash function has long been considered insecure for use in SSL certificates and digital signatures. “Microsoft seems to be going after less secure encryption techniques, and that’s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,” said Lamar Bailey, director at Tripwire.
In 2008, a team of security researchers demonstrated a practical attack that involved exploiting a known MD5 weakness to generate a rogue CA certificate trusted by all browsers. "Usage of the MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," Microsoft said.
Microsoft recommends that customers download, test, and apply the update at the earliest opportunity.