Broadband Tech > Security > Security > Microsoft untrusted certificate store update (Dec 31st)

reply to StuartMW

Re: Microsoft untrusted certificate store update (Dec 31st)

All the update does it change the registry entries for Root Certificates that have been revoked (because they've been stolen, mis-used etc). No actual software (patch) is installed.
--
Don't feed trolls--it only makes them grow!

Is this a regular thing or did something big happen within Microsoft?

Not sure what your question is?

This kind of update is not common. Microsoft doesn't often pull updates and the reissue them but it is not unheard of.
--
Don't feed trolls--it only makes them grow!

No real question just curious about the update and further more about it being pulled.

FAQ »technet.microsoft.com/en-us/secu···/2798897

"The customers that have the automatic updater of revoked certificates (Microsoft Knowledge Base Article 2677070) will not need to take any action because the CTL will be updated automatically."

»support.microsoft.com/kb/2677070

Google is your friend (if you use GoogleSharing)

CTL = Certificate Trust List Overview (Windows)

PS: The Microsoft webpage is loading just fine for me in FF 17.0.1.
--
Don't feed trolls--it only makes them grow!

After I got to that link I was able to read the information and refresh my memory as to what this whole issue is about.
Thank you. I was just really frustrated with Microsoft for providing such a terrible page: »support.microsoft.com/kb/2677070

said by Microsft.com :

---

An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted.

A certificate trust list (CTL) is a predefined list of items that are signed by a trusted entity. All the items in the list are authenticated and approved by a trusted signing entity. This update expands on this existing functionality by adding known untrusted certificates to the untrusted certificate store by using a CTL that contains either their public key or their signature hash. After this update is installed, customers benefit from quick automatic updates of untrusted certificates.

Users who have disconnected systems will not benefit from this feature improvement. These customers will still have to install the root certificate updates when they are made available. Please see the “More Information” section.

As part of this update, the URLs that are used for contacting Windows Update to download the untrusted and trusted CTLs were changed. This could cause problems for enterprises that hardcode these URLs in their firewalls as exceptions."

---

I not sure if CTL is useful for those that download Windows Updates often.

BTW if you use the links I originally posted you can install the update manually. Or you can wait until they're on WU. I did it manually on my Win7 x64 system.

FYI the update file is named rvkroots.exe. You can extract the files within with WinZip. It contains

  5/31/2012  15:54          91,136  ADVPACK.DLL
12/31/2012  15:59          83,067  disallowedcert.sst
 5/31/2012  15:39           1,549  rvkroots.inf
 6/01/2012  10:48           6,656  updroots.exe
 5/31/2012  15:55           2,272  W95INF16.DLL
 5/31/2012  15:55           4,608  W95INF32.DLL
 

Thanks that helps quite a bit!
I see those entries in Event Viewer.

reply to bluepoint

reply to bluepoint
got it here

Successful auto update of disallowed certificate list with effective date: Monday, December 31, 2012 3:50:01 PM.