• Further Hardening of WSUS Now Available

    Posted over 2 years ago
    by WSUS Team}

    Hello, 

    As we mentioned previously, Microsoft is releasing an update to further harden the Windows Server Update Services (WSUS) as a defense-in-depth precaution for our customers. This update is now available for download. As an additional measure, we are providing the SHA1 and SHA2 hashes of the WSUS update and the WU client files we released today. This allows administrators to verify that the files they download are from Microsoft. The hashes are listed in the update KB article. We strongly urge WSUS administrators to apply these updates as soon as possible to take advantage of the added security they offer. If you’d like to read more, please review the MSRC blog for more information.

    Please follow the following steps to ensure a smooth deployment:

    1. Apply Security Advisory Update 2718704, issued on June 3, which moved unauthorized digital certificates derived from a Microsoft Certificate Authority to the Untrusted Store.
    2. Apply the WSUS update, issued on June 08, see KB 2720211.

     

    Thank you,

    WSUS team

  • Update to Windows Update, WSUS Coming This Week

    Posted over 2 years ago
    by WSUS Team}

    Hello,

    As part of the phased mitigation strategy we outlined on the MSRC blog, an update was released with Security Advisory 2718704 that prevents unauthorized certificates from being used to attack Windows systems.  In an effort to provide additional protection for customers, the next action in our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. Now that we have seen broad adoption of Security Advisory 2718704, our deployment of the security hardening update to Windows Update and Windows Server Update Services (WSUS) infrastructures will begin to roll out over the next few days.

    Our hardening introduces two defense-in-depth changes.  First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way.  WSUS customers will also receive an update; more details will be found on the Knowledge Base when the update becomes available.

    As with past updates, this update will not change your current Windows Update or Automatic Updates settings. Anytime Windows Update (or Automatic Updates) is turned on, either set to automatically install updates or notify to install updates, Windows Update will take care of updating itself.

    It’s important to keep your PC up to date with the latest updates to keep your PC running smoothly and safely.

    WU/WSUS Team