dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3967
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Microsoft untrusted certificate store update (Dec 31st)

quote:
Install this update to resolve an issue which requires an update to the untrusted certificate store on Windows systems and to keep your systems up to date. After you install this update, you may have to restart your system.

Update for Windows XP and Windows Server 2003 (KB2798897)

Update for Windows Vista, Windows 7, Server 2008, Server 2008 R2 (KB2798897)

Update for Windows 8, Windows Server 2012 (KB2798897)
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

1 recommendation

Hmm, Microsoft seems to have pulled all of the above.

They're up again.
--
Don't feed trolls--it only makes them grow!



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2

1 recommendation

Microsoft is a mess.



kickass69

join:2002-06-03
Lake Hopatcong, NJ

2 recommendations

With the ugly Ribbon for Office and now Windows 8, seems like they're going down the drain slowly.



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2

1 recommendation

blowing that money on skype didn't help



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to StuartMW

Keep the links posted anyways, who knows, they could come back up. I wonder if they slipped through Windows Update during the brief time they were available...


kruser
Premium
join:2002-06-01
Eastern MO

I found it on my WSUS server and it did install on a few Win 7 client machines. The SBS server has it ready to install but I'm declining it until I learn why they pulled it.

Now I wonder why they pulled it. I'd have loved to have read the support notes about it.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Dustyn

said by Dustyn:

I wonder if they slipped through Windows Update during the brief time they were available...

I got the WinXP one, via Windows Update, before they pulled the lot. Never showed up for Win7.

I wonder if there were issues with the updates or they just couldn't figure out how to post them (probably only a skeleton staff on 12/31).
--
Don't feed trolls--it only makes them grow!

kruser
Premium
join:2002-06-01
Eastern MO

I noticed this evening that the update is now in the Declined list on a WSUS server and the update no longer shows as installed when I look in the "Installed Updates" list on a 2008 Server box and some Win 7 machines that I know accepted and installed the update. It does show in the update history though on all the machines I know it installed on. I guess they reversed it in WSUS and told it to uninstall and then set the update too declined.
I could allow it again but it says removal is not allowed so I don't plan on allowing it.
This update was a weird one.

I wonder if it had anything to do with KB2794220?
They only have a temp fix for that one at this time. The real fix is to use a 3rd party browser I think!



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

3 edits
reply to StuartMW

Bump.

Updates are back. Downloaded them for WinXP and Win7. Links above are good.

FYI packages were digitally signed Monday, December 31, 2012 17:08:52 so no changes seem to have been made from my initial post (My post was at 14:00:26 PST).
--
Don't feed trolls--it only makes them grow!



EmoHobo

join:2010-07-16
reply to StuartMW

I just got this and was a little surprised since it didn't require a restart, can someone explain what this update was as it seems pretty serious but I don't quite get it and I've never seen an update like this before.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

All the update does it change the registry entries for Root Certificates that have been revoked (because they've been stolen, mis-used etc). No actual software (patch) is installed.
--
Don't feed trolls--it only makes them grow!



EmoHobo

join:2010-07-16

Is this a regular thing or did something big happen within Microsoft?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Not sure what your question is?

This kind of update is not common. Microsoft doesn't often pull updates and the reissue them but it is not unheard of.
--
Don't feed trolls--it only makes them grow!



EmoHobo

join:2010-07-16

No real question just curious about the update and further more about it being pulled.



bluepoint

join:2001-03-24

FAQ »technet.microsoft.com/en-us/secu···/2798897

"The customers that have the automatic updater of revoked certificates (Microsoft Knowledge Base Article 2677070) will not need to take any action because the CTL will be updated automatically."

»support.microsoft.com/kb/2677070



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to StuartMW

I got this update in my XP SP3 machines so far. Nothing in my 64-bit W7 and Vista HPE SP2.



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

4 edits
reply to bluepoint

said by bluepoint:

"The customers that have the automatic updater of revoked certificates (Microsoft Knowledge Base Article 2677070) will not need to take any action because the CTL will be updated automatically."

»support.microsoft.com/kb/2677070

The above link does not work for myself at the moment as it's taking far too long to display and locks up IE9.
EDIT: WTF? That page is INSANE! FAR TOO MUCH information has been posted. Browser freezes. Just how far down do I have to keep scrolling to get to the end of the page!?? It really should be broken down on separate pages. I was eventually able to load this page in Opera. IE9 came through after a few minutes... Terrible page.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

Google is your friend (if you use GoogleSharing)

CTL = Certificate Trust List Overview (Windows)

PS: The Microsoft webpage is loading just fine for me in FF 17.0.1.
--
Don't feed trolls--it only makes them grow!



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

After I got to that link I was able to read the information and refresh my memory as to what this whole issue is about.
Thank you. I was just really frustrated with Microsoft for providing such a terrible page: »support.microsoft.com/kb/2677070

said by Microsft.com :
An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted.

A certificate trust list (CTL) is a predefined list of items that are signed by a trusted entity. All the items in the list are authenticated and approved by a trusted signing entity. This update expands on this existing functionality by adding known untrusted certificates to the untrusted certificate store by using a CTL that contains either their public key or their signature hash. After this update is installed, customers benefit from quick automatic updates of untrusted certificates.

Users who have disconnected systems will not benefit from this feature improvement. These customers will still have to install the root certificate updates when they are made available. Please see the “More Information” section.

As part of this update, the URLs that are used for contacting Windows Update to download the untrusted and trusted CTLs were changed. This could cause problems for enterprises that hardcode these URLs in their firewalls as exceptions."
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits

1 recommendation

I not sure if CTL is useful for those that download Windows Updates often.

BTW if you use the links I originally posted you can install the update manually. Or you can wait until they're on WU. I did it manually on my Win7 x64 system.

FYI the update file is named rvkroots.exe. You can extract the files within with WinZip. It contains

  5/31/2012  15:54          91,136  ADVPACK.DLL
12/31/2012  15:59          83,067  disallowedcert.sst
 5/31/2012  15:39           1,549  rvkroots.inf
 6/01/2012  10:48           6,656  updroots.exe
 5/31/2012  15:55           2,272  W95INF16.DLL
 5/31/2012  15:55           4,608  W95INF32.DLL
 
--
Don't feed trolls--it only makes them grow!


bluepoint

join:2001-03-24

1 edit

1 recommendation

Click for full size
Event 4112
For vista to W8, the CTL update will not show in WU. It has an autoupdate mechanism on it's own provided kb2677070 was installed when it was released in June 12, 2012. To check if CTL was updated automatically, look in eventvwr windows log/applications for event 4112 Source: Cap12.


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

Thanks that helps quite a bit!
I see those entries in Event Viewer.



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to bluepoint

said by bluepoint:

FAQ »technet.microsoft.com/en-us/secu···/2798897

"The customers that have the automatic updater of revoked certificates (Microsoft Knowledge Base Article 2677070) will not need to take any action because the CTL will be updated automatically."

»support.microsoft.com/kb/2677070

Thanks for note and links
said by StuartMW:

Google is your friend (if you use GoogleSharing)

CTL = Certificate Trust List Overview (Windows)

PS: The Microsoft webpage is loading just fine for me in FF 17.0.1.

Thanks for the links.


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
reply to bluepoint

got it here

Successful auto update of disallowed certificate list with effective date: Monday, December 31, 2012 3:50:01 PM.



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

said by Cartel:

got it here

Successful auto update of disallowed certificate list with effective date: Monday, December 31, 2012 3:50:01 PM.

Ditto.