Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Announcing the automated updater of untrustworthy certificates and keys

Announcing the automated updater of untrustworthy certificates and keys

  • Comments 15
  • Likes

There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic Updater of revoked certificates is now available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2 computers. Learn more and download the updater through Microsoft KB 2677070.

In the past, customers would have had to make changes to the Untrusted Certificate Store by initiating updates through Windows Update or by using a manual method. For example, the updates published in KB 2718704, which describes an update to move unauthorized certificates to the untrusted store, had to be initiated manually. This new feature provides dynamic updates for revocation information so that Windows clients can be updated with untrusted certificates at most within a day of the information being published (no user interaction required). This new automatic updater will enable Certificate Authorities to report information about their revoked CA certificates to Microsoft and have them publicly untrusted in a much faster manner as compared to propagating this information by using CRLs.

Comments
  • The KB article is extremely difficult to view; IE timeouts and crashes take place when attempting to view this particular article.

  • Will a similar streamlined update procedure be made for Windows Mobile 6.5, WP7 and WP7.5?  My carrier has still declined to release the Jan 2012 update 7.10.8107.79.

  • Hi Kurt,

    Thanks for including such great information in this blog post. You mention that these updates are installed without user interaction. While I don’t have a problem with that, is there a method to verify that such updates are being installed when they are released? E.g. from the “View Update History” link from within Windows Update of Windows 7 or via checking version numbers of the files that are to be installed?

    I am asking since in the future when such updates are released and it will likely be stated that we need not take any action. However, what if there is configuration error on a PC that prevents such an update being installed? The user of the system would assume they were protected when they are not. This gives a false sense of security. I realize this scenario of a configuration error is extremely unlikely but it can happen.

    Since we are always advised to install all security updates as soon as possible, we need to ensure this is indeed occurring as expected and not luring us into a false sense of assuming we are patched, when we are not.

    I mention the above scenario since a similar misunderstanding of an update that should be automatically installed but was not installed recently happened to me. The new silent updater of Adobe Flash Player does not behave as one might expect e.g. that all security updates are applied within 24 hours automatically. This is true for security updates but when a version upgrade e.g. 11.2 to 11.3 occurs which also includes a security update, such an update is postponed for up to 1 week. This leaves the user vulnerable during that time. It also assumes the user knows how to check if they are fully updated and if not, take the necessary action. However, to Adobe’s credit they are willing to explore other options to address this. Here is a link to the relevant thread: forums.adobe.com/.../4483381

    Also how will Windows XP receive such updates? Will it simply continue to use the traditional manual root certificate update?

    I simply wish to raise these questions to ensure the security update process for everyone is smooth and seamless. Thank you.

  • How does this interact with the DisableRootAutoUpdate system policy? We we still be able to get updates to untrusted certificate lists if we have disabled automatic root download?

  • We are seeing an issue with Sharepoint 2010 servers which have had KB 2677070 applied and where the servers have no internet access. With the update applied the Claims To Windows Token service (c2wts) will not start.

    The only solution is either to roll back KB 2677070 or to allow the servers to connect to the URL's mentioned in the KB article.

  • Paul Lynch: The SharePoint issue was discussed today in a meeting I attended. This is a support issue and should be posted on the Security forum social.technet.microsoft.com/.../threads. It seems like you may have already contacted support. The issue is certainly being looked into, but the problem is not quite clear. If you actually solve the issue by rolling back the update, that would be interesting.

    If you start a thread on the security forum, please, let me know (post back here). I will alert some internal people and watch the thread for useful information to share here. However, I don't want to turn this blog into a support forum. So, I will be deleting this comment and your comment in the future and just providing a summary of the information or link to more.

  • Questions and answers:

    1. baillard - No answer has come back on the Windows Mobile specifically, but since it is not listed in the OS versions, I am thinking not.

    2. JimboC - The Untrusted Certificates list will grow when you get more entries. You can find that list in the Certificates MMC snap-in. As for knowing you are protected, this is just a method for you to get protected faster than waiting for the next update. You will still be able to get the updated list on a monthly basis (I think). Windows XP is not on the list, so it doesn't get the quick updates, but as long as the regular updates are released for Windows XP, then it will eventually get that information.

    3. HackedOffAdmin - Even with DisableRootAutoUpdate you can still use the manual process to get the updates. You probably already got that from the previous answers.

  • Hi Kurt,

    Thanks for looking into these questions with the relevant teams. The information that you have provided is exactly what I was looking for. Thank you again for following up about this.

    For your information, I have located the answer to one of my questions at the following link:

    blogs.technet.com/.../june-2012-security-bulletin-q-a.aspx

    ------------------

    Q: KB2677070 doesn't support XP. Will KB931125 still be updated through the end of XP support?

    A: The Trusted Root Certificate updates (KB931125) will continue to be available to Windows XP through its normal product lifecycle.

    ------------------

    This answers my question about Windows XP i.e. if it is still to receive certificate revocation updates manually. This will not affect me since 2 of my computers use Windows 7 Ultimate 64 bit SP1 and another uses Windows Vista Ultimate 64 bit SP2.

  • Hi Kurt,

    is there any more info on this KB2677070? My problem is: I work in the IT Department of a very large company and I would very much like to see this KB in action.

    So my first step was adding twor proxy exceptions for:

    http:// ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedstl.cab

    http:// ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    I installed the KB2677070 on some testlab machines and before I start reverase engineering I want to find out how this works. Any info on this? Is it triggered through task scheduler, is there any conflict with us using SCCM 2007 and SCCM 2012 in a test environment?

    I searched through TechNet but I all got was of course this PKI blog (I like it!) and the KB article itself and the rest is the whole pile of problems this article is engaging on different plattforms.

    Any help would be appreciated!

    Thanks and greetings from Germany

    PSO

  • Can this automatic updater of revoked certificates cause my clients to reboot after they're updated with untrusted certificates? Like KB2718704 you noted above did?

  • PSO: See technet.microsoft.com/.../cc751157.aspx - the update mechanism is similar to Root Certificate Update mechanism.

  • PSO: Have you suceeded in testing KB267070?  I have been checking my "Untrusted Certificates" store over the last few days and have noticed no new certificates.  I would very much like to understand how this process works.

  • Kurt:  What does the client do once this updater is installed?  I have it installed on 1,500 systems but the certificates recently untrusted from KB2728973 are not listed in the certificates mmc or the regkey  SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates.  How can I validate this is working properly?

    Mark

  • Michael Melling and MarkE: Yes, Microsoft employees did test that that updater works. You will not see new "untrusted" certificates when this update is working. What happens is the thumbprints of the untrusted certificates go into a list of untrusted certificates, a certificate trust list (CTL). With Windows 8 you would be able to actually see a CTL with a bunch of untrusted signatures inside the Untrusted Certificates node. I asked the PM in charge of this feature and he said the way to see this working on previous Windows OS versions is to enable CAPI2 logging. So, don't expect to see this displayed in the Untrusted Certificates store on versions prior to Windows 8.

  • Hi Kurt,

    Sorry to rake up this old topic, but I was interested in knowing if there have been changes to the updater now?

    The reason I ask is because I have a few installations at my disposal - Windows 2012 Standard, Win 2k8 SP2 and Windows 7 SP1. I manually installed KB2916652 on Windows 2012 and let the auto updater run on all the other machines. Unlike what you say, I found the registry key being created in all of the occasions at HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5CE339465F41A1E423149F65544095404DE6EBE2

    So my question is - are the registry keys generated or not? I can see they are, but you say otherwise. If they are not, how do I check my other machines to see if they have this KB installed or not?

    I had originally written to MS support at http://social.technet.microsoft.com/Forums/windowsserver/en-US/7179c53d-c696-4a39-b355-24fa45a4d8d8/verify-kb2916652-on-windows-2012?forum=winserver8gen#7179c53d-c696-4a39-b355-24fa45a4d8d8. But I failed to receive a favourable reply. Hence my question.

    Thanks,
    - M.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment