Does WSUSOU install updated certificate trust/untrust lists?

Does WSUSOU install updated certificate trust/untrust lists?

Postby friday123 » 15.07.2014, 20:12

It seems like once or twice a year I get an advisory from Microsoft that says "Improperly Issued Digital Certificates Could Allow Spoofing". Microsoft has a separate update system to update revoked certificates that is enabled by default in Windows 8 and optional in Windows Vista and 7. The most recent advisory states:

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see Microsoft Knowledge Base Article 2813430 for details).


Does WSUSOU do anything to deal with this certificate issue? I had just assumed Microsoft was making these updated certificate lists available via Windows Update. Thanks
friday123
 
Posts: 74
Joined: 28.11.2009, 06:30

Re: Does WSUSOU install updated certificate trust/untrust li

Postby boco » 15.07.2014, 21:56

Look into ./client/win/glb after a download run. You'll find rootsupd.exe (Update for trusted certs) and rvkroots.exe (Update for revoked certificate list). Yes, WSUSOU deals with 'em. :mrgreen:
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2019
Joined: 24.11.2009, 18:00
Location: Germany

Re: Does WSUSOU install updated certificate trust/untrust li

Postby friday123 » 18.07.2014, 07:46

boco wrote:Look into ./client/win/glb after a download run. You'll find rootsupd.exe (Update for trusted certs) and rvkroots.exe (Update for revoked certificate list). Yes, WSUSOU deals with 'em. :mrgreen:


I am using WSUSOU r603 and I just ran the Update Generator today. I have a rootsupd.exe from 2014-02-13 and rvkroots from 2013-12-10. Microsoft has done revocations since then. Is it possible they are no longer updating these packages for enterprise customers?
friday123
 
Posts: 74
Joined: 28.11.2009, 06:30

Re: Does WSUSOU install updated certificate trust/untrust li

Postby WSUSUpdateAdmin » 18.07.2014, 09:31

Hi.

Preceding thread: viewtopic.php?f=6&t=3543.

By today, WOU provided rvkroots.exe v. 5.0.2195.0 (kb2917500, see http://www.microsoft.com/en-us/download ... x?id=41542), but I just found rvkroots.exe v. 6.0.2195.0 (kb2982792, see http://www.microsoft.com/en-us/download ... x?id=43672), which I'll integrate now.

Regards
T. Wittrock
WSUSUpdateAdmin
Administrator
 
Posts: 2121
Joined: 07.07.2009, 15:38

Re: Does WSUSOU install updated certificate trust/untrust li

Postby aker » 18.07.2014, 16:39

Please update .\client\exclude\ExcludeList.txt too.

[edit]No need to; the WUA still lists the old KB-id.[/edit]
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3057
Joined: 02.03.2011, 16:32
Location: %SystemRoot%\System32\Boot\winload.efi

Re: Does WSUSOU install updated certificate trust/untrust li

Postby friday123 » 20.07.2014, 06:36

WSUSUpdateAdmin wrote:By today, WOU provided rvkroots.exe v. 5.0.2195.0 (kb2917500, see http://www.microsoft.com/en-us/download ... x?id=41542), but I just found rvkroots.exe v. 6.0.2195.0 (kb2982792, see http://www.microsoft.com/en-us/download ... x?id=43672), which I'll integrate now.


Thanks Torsten. I've confirmed the update is successfully applied in Windows 8 and the certificates issued by CCA India that are referenced in advisory 2982792 are listed as untrusted.

What do you think will happen in about a year when Server 2003 goes EOL? Will we still get these enterprise certificate list packages? The new separate updater method seems pretty confusing to me:

Announcing the automated updater of untrustworthy certificates and keys
Verify KB2916652 on Windows 2012
An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
Configure Trusted Roots and Disallowed Certificates
friday123
 
Posts: 74
Joined: 28.11.2009, 06:30

Re: Does WSUSOU install updated certificate trust/untrust li

Postby WSUSUpdateAdmin » 27.07.2014, 13:42

Hi.

aker wrote:Please update .\client\exclude\ExcludeList.txt too.

[edit]No need to; the WUA still lists the old KB-id.[/edit]


Thanks, I've added kb2982792 anyway now.

Greets
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2121
Joined: 07.07.2009, 15:38

Re: Does WSUSOU install updated certificate trust/untrust li

Postby friday123 » 11.07.2015, 08:24

What is happening now with rvkroots? It has been released by Microsoft for Windows Server 2003. I just got an e-mail from Microsoft that July 14 2015 is the EOL date for Windows Server 2003 so what is WSUSOU going to do for root certificates after that date?
friday123
 
Posts: 74
Joined: 28.11.2009, 06:30

Re: Does WSUSOU install updated certificate trust/untrust li

Postby aker » 11.07.2015, 15:24

As long as MS provides the files (and maybe updates it), wsusou will be able to download & install them. They can be applied on NT 6.x (Vista - Win 8.1), too, so I assume, that the will still be included after w2k3 support gets removed.
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3057
Joined: 02.03.2011, 16:32
Location: %SystemRoot%\System32\Boot\winload.efi


Return to Fehlende Updates / Missing updates

Who is online

Users browsing this forum: Google [Bot] and 11 guests