forums.wsusoffline.net

I recently added KB2862973 to my WOU custom section. It is a security update that restricts the use of certificates with MD5 hashes. It's for Windows Vista, 7 and 8, but not 8.1 -- the functionality is already built into that version.

You can read more about the update here:
Microsoft Security Advisory (2862973): Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program
Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013

I'm making this post so others can save time if they want to add that update to their WOU. First open a command window and switch to your wsusoffline directory. Then run the commands below ONCE to add the update information to your WOU custom section. Every line starts with the echo command.

EDIT: Torsten changed WOU so in version 8.7 it downloads KB2862973 automatically. You must still explicitly add the ID for installation by running the commands below. This is likely to change after February 11, 2014 when MS pushes the update to everyone, then these commands likely won't be needed.

Code: Select all

echo KB2862973>>client\static\custom\StaticUpdateIds-w60-x86.txt
echo KB2862973>>client\static\custom\StaticUpdateIds-w60-x64.txt

echo KB2862973>>client\static\custom\StaticUpdateIds-w61-x86.txt
echo KB2862973>>client\static\custom\StaticUpdateIds-w61-x64.txt

echo KB2862973>>client\static\custom\StaticUpdateIds-w62-x86.txt
echo KB2862973>>client\static\custom\StaticUpdateIds-w62-x64.txt

After you do that run UpdateGenerator.exe and it should download KB2862973. You can confirm they exist in client\<os>\glb\WindowsXXXX-KB2862973-xXX.msu, for example:
client\w60\glb\Windows6.0-KB2862973-x86.msu

Very useful, I think.
http://trac.wsusoffline.net/browser/trunk (r513).

Thanks & regards
Torsten Wittrock

WSUSUpdateAdmin wrote:Very useful, I think.
http://trac.wsusoffline.net/browser/trunk (r513).

Thanks & regards
Torsten Wittrock

Torsten I would just point out that according to Microsoft,

Administrators of enterprise installations should assess their environments for the existence of certificates with MD5 hashes and re-issue these certificates prior to broader distribution of the update, which Microsoft plans to release in February 2014.

Maybe there are a lot of people using MD5 certificates and if they use WOU it may be unexpected to have them disabled. I don't know that KB2862973 should be included by default, or maybe there should be a checkbox?


There are two updates that I mentioned a while back that I really think you should include by default:

Microsoft Security Advisory: Update for the Windows Operating System Loader
Microsoft Security Advisory (2506014): Update for the Windows Operating System Loader
Microsoft says about that update: "While this is not an issue that would require a security update..." I disagree. Especially because they describe it as "An issue has been identified that could allow a user with administrative permissions to load an unsigned driver." Yet for some reason they never released it as a security update.

Code: Select all

echo http://download.microsoft.com/download/D/B/2/DB23C949-6F3F-455F-A048-FE7C8CDB97A9/Windows6.0-KB2506014-x64.msu>>static\custom\StaticDownloadLinks-w60-x64-glb.txt
echo http://download.microsoft.com/download/9/8/5/98578ACE-4837-437E-B51B-E4C4C8DFE7AB/Windows6.1-KB2506014-x64.msu>>static\custom\StaticDownloadLinks-w61-x64-glb.txt

echo KB2506014>>client\static\custom\StaticUpdateIds-w60-x64.txt
echo KB2506014>>client\static\custom\StaticUpdateIds-w61-x64.txt

Unauthorized digital certificates could allow spoofing
Microsoft Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing
This is a mitigation for the Flame trojan and yet for some reason they don't include it by default. Why is that..

Code: Select all

echo http://download.microsoft.com/download/D/0/7/D07BC77B-ECE5-4BD9-80F8-17C5C237B1A0/WindowsXP-KB2718704-x86-ENU.exe>>static\custom\StaticDownloadLinks-wxp-x86-glb.txt
echo http://download.microsoft.com/download/B/C/3/BC388BA3-D4CC-4D16-BF84-1A1154FB5599/WindowsServer2003-KB2718704-x86-ENU.exe>>static\custom\StaticDownloadLinks-w2k3-x86-glb.txt
echo http://download.microsoft.com/download/9/7/8/97859DB6-04A2-43A5-B9E8-C37180425D08/WindowsServer2003.WindowsXP-KB2718704-x64-ENU.exe>>static\custom\StaticDownloadLinks-w2k3-x64-glb.txt

echo KB2718704>>client\static\custom\StaticUpdateIds-wxp-x86.txt
echo KB2718704>>client\static\custom\StaticUpdateIds-w2k3-x86.txt
echo KB2718704>>client\static\custom\StaticUpdateIds-w2k3-x64.txt

echo http://download.microsoft.com/download/D/7/A/D7A4C58C-A0E8-4CD7-A405-36C787637474/Windows6.0-KB2718704-x86.msu>>static\custom\StaticDownloadLinks-w60-x86-glb.txt
echo http://download.microsoft.com/download/7/3/1/731F9EE8-438E-4411-A994-2D0A1443501F/Windows6.0-KB2718704-x64.msu>>static\custom\StaticDownloadLinks-w60-x64-glb.txt

echo KB2718704>>client\static\custom\StaticUpdateIds-w60-x86.txt
echo KB2718704>>client\static\custom\StaticUpdateIds-w60-x64.txt

echo http://download.microsoft.com/download/4/1/3/413A9B3D-DC56-4DD8-8944-9B0DB0CC8025/Windows6.1-KB2718704-x86.msu>>static\custom\StaticDownloadLinks-w61-x86-glb.txt
echo http://download.microsoft.com/download/1/7/8/1787B87D-5DA3-44EF-A393-F15BF8EA3FBF/Windows6.1-KB2718704-x64.msu>>static\custom\StaticDownloadLinks-w61-x64-glb.txt

echo KB2718704>>client\static\custom\StaticUpdateIds-w61-x86.txt
echo KB2718704>>client\static\custom\StaticUpdateIds-w61-x64.txt

Thanks

Hi friday,

friday123 wrote:Torsten I would just point out that according to Microsoft,

Administrators of enterprise installations should assess their environments for the existence of certificates with MD5 hashes and re-issue these certificates prior to broader distribution of the update, which Microsoft plans to release in February 2014.

Oops, I overlooked that.
I'll keep the download URLs but drop the installation defs, so everyone can make a "custom" decision.

friday123 wrote:There are two updates that I mentioned a while back that I really think you should include by default:

Microsoft Security Advisory: Update for the Windows Operating System Loader
Microsoft Security Advisory (2506014): Update for the Windows Operating System Loader
Microsoft says about that update: "While this is not an issue that would require a security update..." I disagree. Especially because they describe it as "An issue has been identified that could allow a user with administrative permissions to load an unsigned driver." Yet for some reason they never released it as a security update.

I now added this one (download and installation defs).

friday123 wrote:Unauthorized digital certificates could allow spoofing
Microsoft Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing

...but not this one, because WOU downloads and installs both most recent rootsupd.exe and rvkroots.exe.

Regards
Torsten Wittrock

WSUSUpdateAdmin wrote:

friday123 wrote:Unauthorized digital certificates could allow spoofing
Microsoft Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing

...but not this one, because WOU downloads and installs both most recent rootsupd.exe and rvkroots.exe.

Regards
Torsten Wittrock

Thanks Torsten. I investigated what you said regarding 2718704 and you are right it's not needed for WOU since the certificates are updated.