As part of the phased mitigation strategy we outlined on the MSRC blog, an update was released with Security Advisory 2718704 that prevents unauthorized certificates from being used to attack Windows systems. In an effort to provide additional protection for customers, the next action in our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. Now that we have seen broad adoption of Security Advisory 2718704, our deployment of the security hardening update to Windows Update and Windows Server Update Services (WSUS) infrastructures will begin to roll out over the next few days.
Our hardening introduces two defense-in-depth changes. First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way. Details on the changes to the Windows Update client can be found at KB 949104. WSUS customers will also receive an update; more details can be found at KB 2720211.
As with past updates, this update will not change your current Windows Update or Automatic Updates settings. Anytime Windows Update (or Automatic Updates) is turned on, either set to automatically install updates or notify to install updates, Windows Update will take care of updating itself.
It’s important to keep your PC up to date with the latest updates to keep your PC running smoothly and safely.
How will this affect existing customers using WSUS 2 and not willing to update to WSUS 3 for whatever reason? Can we just install the new certificate in the trusted roots folder?
Its great that you are taking the security and the hardening of the certs but when will you release a version of the agent with better error logging and reporitng.
Currently so many error codes are not documented or the offical MS documenation is so bad that you need google and a whole lotta luck to actually fix a broken instance of Windows Update.
When the new Windows update downloaded it would not allow me to enter Explore.
I had to do a system restore and go back before the update to access Explore or any internet access.
What should I do?
Although I have seen this update arrive on a Windows 7 64-bit machine, I have not seen this update arrive on any 32-bit Windows machine at my disposal. Is this update intended to apply to 32-bit systems?
Why is this update classified as Critical Update and not as Security Update even though it is clearly security-relevant? Many organizations deploy Security Updates but not Critical Updates on a regular schedule and I guess the classification as Critical Update will cause a lot of organizations to miss this update.
What action versions can update files in the incomplete state of the work this problem?
This security issue being addressed is because of a weakness in update itself. By disabling Windows update in Services (local) and clicking Stop Service, there will be now way anyone can hack this issue.
To be really safe, go back to XP, what I'm doing, 8 ,,,, don't make me laugh.
windows xp was really one of the best operation systems
puedo instalar solo en Domain Controler la aplicacion WSUSemail@example.comGracias