 |
 |
Just for clarity's sake, it's not the encrypted link but the signing key for the certificate that needs to be 1024-bit or higher. This update is a response for the malware disclosed a month or two ago where a spoofed certificate was generated and trusted under the built-in terminal services trust chain which only required 512-bit signing. This allowed the malware to hijack the Windows Update channel and feed in whatever software they wanted with system credentials. It's pretty unlikely that anyone is running certificates on websites that would have a problem with this. The bigger issue is going to be signed code. Pre-2010 signed applications get an exclusion, but ActiveX controls do not. I have a feeling that is where most of the problems will come from, so recommend extreme caution on this one and do plenty of testing before you release the patch to all your systems.