KB2917500 Relevance Issue

(imported topic written by CSL2012)

Hi,

I’m reviewing our Audit Findings and found a discrepancy with the fixlet for KB2917500. Fixlet ID: 291750001, 2917500: Improperly issued digital certificates could allow spoofing - V2, I show is not showing relevance on quite a few Windows server 2008 R2. Can someone review. The Audit Findings and WSUS matches for the patch KB2917500 Applicability, but TEM is not showing any relevance. I’ve attached the QNA file i ran on a server needing the patch KB2917500 after verifying manually that the patch never ran, no update to the CTL, finding exist, and WSUS showing needing the patch. Thanks.

Chi

(imported comment written by sylviabeing)

There is a Note mentioned on the Security Advisory page stating this:

Recommendation.
An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8. For these operating systems and devices, customers do not need to take any action as these systems and devices will be automatically protected.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see
Microsoft Knowledge Base Article 2677070
for details), customers do not need to take any action as these systems will be automatically protected.

For customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2917500 update be applied immediately using update management software, by checking for updates using the
Microsoft Update
service, or by downloading and applying the update manually. For more information, see the
Suggested Actions
section of this advisory.

That’s the reason we blocked system with KB2677070 installed from applying KB2917500 for certain OSes.

But it seems MBSA is giving a different result. We are actually looking into this issue. We will update you with our progress.

Regards,

Sylvia

(imported comment written by CSL2012)

The reason why MBSA is giving different result is because, it’s looking to see if the certificate added to the Untrusted Cert Folder via a value in the registry from the update either KB2677070 or KB2917500. KB2677070 is the Automatic Updater which once installed, enables systems to automatically update Root Certs from the Internet (see
http://support.microsoft.com/kb/2677070
, under More Information). For those companies that maintain a Secure Environment, Any Internet Access is tightly controlled along with any changes such as Patches and/or Configurations). This why KB2917500 was released to provide an alternate means of updating untrusted certificates on systems (see
http://support.microsoft.com/kb/2917500
for details). Per Microsoft in KB2917500, “Update for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Customers should install the automatic updater of revoked certificates. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2813430 (
http://support.microsoft.com/kb/2813430/
). An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows. Enterprise customers who cannot use the automatic updater can obtain Rvkroots.exe from Windows Update catalog (KB2917500).” Fixlet ID: 291750001 conflicts with MBSA or WSUS because Relevance 4 is evaluating existance of KB2677070. Basically KB2677070 can be installed but if the system has no internect connection then there’s no update to the untrusted cert. We created a custom copy and removed the following relevance in Fixlet ID: 291750001: “… AND (number of (elements of ((set of (if (exists key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages” of native registry) then elements whose (it contains “KB2677070” AND it does not contain “") of ((set of ((substrings before “~” of substrings after "for” of names of keys whose (name of it contains “for_” AND (it = 96 or it = 112 or it = 6 or it = 7) of (value “CurrentState” of it as integer)) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages” of native registry) as uppercase))) else (nothing))))) < 1))”. By doing so, the Applicable systems matched with what our WSUS server shows Applicable which matched with our Audit Findings.

Chi

(imported comment written by sylviabeing)

Hi Chi,

After investigating into this Security Advisory further more, we have found the
following behavior regarding KB2917500 and KB2677070 (which puzzles us.):

1. KB2677070 installs a binary to the target system and the binary will
download some key store data online and update the system for any revoked or
disallowed certificates. 
2. KB2917500 installs a tool and a key store update to the target system. Once
this patch is applied, the concerned certificate update is handled.

Microsoft has given some details about the use of KB2677070 and KB2917500. It
appears that, if customer has installed KB2677070 without internet access, the
concerned certificate update will not be applied to the system. Therefore MBSA
still shows that KB2917500 is required. 

Our current fixlet 291750001 is not targeting those system without internet
access and we are not planning to change the patch behavior. For server/client without 
Internet access, we will suggest the following relevance.

(imported comment written by sylviabeing)

Hi,

We found a way to detect the status of the key store update. Please try the attached V2 custom copy and let us know whether it works for you!

If it works fine, we will consider republish the content.

Thanks & Regards,

Sylvia

(imported comment written by CSL2012)

Sylvia,

Unfortunately we are unable to properly test as we have already taken care of our remaining servers with Audit Findings since time was a factor. Thanks but I’ll try the suggested method for future releases as this won’t be the last digital certificate issue.

chi

(imported comment written by sylviabeing)

No worries!

Regards,