Fraudulent digital certificates could allow spoofing

I have Windows XP Professional and Windows 7 x64 Professional installed on the same computer in dual boot configuration.

The first 4 updates were prompted via Windows Update on both operating systems: KB2524375, KB2607712, KB2641690 and KB2718704. The naming of the files followed the "conventional" naming like "WindowsXP-KB2524375-x86-ENU.exe" and "Windows6.1-KB2524375-x64.msu ".

From KB2728973 and now KB2798897 my computer is no longer offered the updates on Windows 7 x64 Professional. The files no longer follow the "naming convention ", they are all named "rvkroots.exe ".

The KB-articles for KB2728973 and KB2798897 seem to indicate that Windows 7 x64 systems are not affected but ... ... all other systems and versions are.

Is there a simple explanation?

 

Reading the actual Security Advisories (links in the KB-articles) reveals that the x64 versions of Windows 7 should be affected too but no prompts to install and only one file version. What's the deal?

 

Yea, seems like another failing of WU.

On my Windows 7 x64 I have:

• KB2524375
• KB2607712
• KB2641690
• KB2718704

I also don't have KB2728973 nor KB2798897.

Note that KB2798897 is meant as a replacement for KB2728973.

Now KB2798897 states:

I do have KB2677070 installed, so according to the above, I do not need KB2798897.

Well, I checked, and I have a number of certificates listed in Untrusted Publishers but not

• *.google.com issued by *.EGO.GOV.TR
• e-islem.kktcmerkezbankasi.org issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri
• *.EGO.GOV.TR issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

I check a VM which is running Win7 HP x64, and that system only has the KB2718704 update installed (which in itself is OK, since that update replaces the 3 others mentioned before).

But the weird thing is that the certificates

• *.google.com issued by *.EGO.GOV.TR
• e-islem.kktcmerkezbankasi.org issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri
• *.EGO.GOV.TR issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

Are listed in the Untrusted Publishers on that system....

So I did run the file from KB2798897 manually. I note that the 3 certificates are now added, but KB2798897 is not listed as an update when searching for installed updates.

 

As I understand it, according to the FAQ in the actual Security Advisories, they are all cumulative and replace the previous ones. For KB2798897 it states:

I too have KB2677070 installed which was released on june 11. KB2718704 preceeded it on june 03 and is installed. KB2728973 was released after it on july 09 and is not installed and nor is KB2798897.

The question is if they are needed but installed "silently" without user intervention? I can't check the KB2677070 article right now. For some reason, it freezes my browser ... ... !

 

I had to be patient with the KB2677070 article. It loaded after a few seconds, provided that I didn't desperately click several buttons.

It says under more information:

My computer speaks swedish but when I checked my Windows 7 x64 system, under "Certificate Path Validation Settings ", not a single box was checked under any of the four tabs. As I understand it, the function is disabled. Which box(es) should be checked for it to work or am I on the wrong track?

 

I forgot to mention that I'm 100% sure that the two most recent updates have been installed on my Windows XP system (I download to my computer and install all updates off-line) but they are not listed in "add/remove programs" and there are no "$NtUninstallKB*******$" folders. The certificates added through KB2798897 are listed in Untrusted Publishers but I haven't checked the certificates added through KB2728973.

None of the certificates added through KB2798897 are listed in Untrusted Publishers on my Windows 7 x64 system and again, I haven't checked the certificates added through KB2728973. I wait for your comments on "Certificate Path Validation Settings ". Should I try making some changes and see what happens?

 

Completely the wrong track!

It says what boxes to tick, and when you select Define these policy settings the other settings become available.

But what that does is: disable the network retrieval of the trusted and untrusted CTLs.

You then of course don't have to worry about any "missing" update

 

Just install manually and check the Untrusted Publishers section... that's all there is to it!

 

When I went there, it was all greyed out and no boxes were ticked, as in disactivated. When I ticked the box to "Define these policy settings ", a lot of boxes got ticked, as in activated. I thought that if I had "saved and exited ", it would become activated. I'll have to go back, re-read KB2677070 and have another look.

Well, there is more to it. If I hadn't dual booted Win XP and Win 7, I would never have a clue about the missing update(s) on Win 7. Either MS make KB2677070 work as it should or MS prompt the users to install the updates through Windows Update, just like I get prompted on Win XP. It's probably not only my Win 7 system but a lot more users are affected, users who don't dual boot.

 

Well, I checked 4 systems, and only on 1 system I had those 3 missing certificates.

I can't do anything about it. Since they are security updates, you can ask Microsoft for free support.

 

Okey, since it can not be only my system and one of yours that are affected in the whole world, I will try to find out how and where to send a copy of my initial post with a link to this thread.

 

Thanks for the links! I followed the "outside U.S." link and got to "Välj produktsupport" (Choose product support) and under Säkerhet (Security), Microsoft Update and/or Windows Update are not listed. I have no clue what to choose ... ... !

Edited: Disregard, I found it!

 

Done, respond time is 24 hours.

 

Well, the support people are friendly but they don't have a clue.

One of them told me that he could see that I did not have KB2677070 installed. I asked how he could see that. I provided screenshots to show that it had been installed. I asked if he wanted me to reinstall it. His response was "what do you want to reinstall" and I kept on explaining.

I tried to reinstall KB2677070 but a popup told me that it had already been installed.

I uninstalled it and let Windows Update do a search. It found no new updates.

I tried to reinstall it (the previously downloaded file) but a popup told me that the update could not be applied to this computer. This is a logical consequence of "finding no new updates" but is it because it has been installed and uninstalled? (Rhetorical question.)

It seems like MS is standing in you know what up to their knees ... ... !

Being a Ghost user, I will roll back to patch tuesday in june 2012, my last image prior to installing KB2677070 in july 2012. I will then see if Windows Update will offer it to my system. I'll be back.

 

Well, personally I wouldn't worry about it. Things happen. I just installed manually & that's the end of it for me...

 

Windows Update offered the same updates as in july 2012, with one exception = KB2677070. Of course, updates released after july 2012 were also offered and those updates that have been replaced were not offered.

When I try to install KB2677070 manually, a popup notifies that the update can not be applied to my computer.

Neither KB2728973 nor KB2798897 have been offered through Windows Update.

No additions to "Untrusted Publishers" have (this far) been made.

 

If I, after restoring the Image, restart disconnected from the internet and immediately try to install KB2677070, no problems, it is accepted.

If I, after restoring the image, connect to Windows Update something gets changed and KB2677070 is no longer accepted by my system.

It seems like something is going on behind the scenes and maybe I should sit on my hands and wait for Windows6.1-KB2677070-v2-x64.msu?

Edited: Windows6.1-KB2677070-v2-x64.msu is pure speculation on my part!

 

This is still ongoing. The support guy suggested a reset of Windows Update by running a fix "wufixV2.exe ". I did but no difference. Neither KB2677070 nor KB2728973/KB2798897 are offered.

 

One of the support guys admitted that there are many possible reasons and he can't tell why it doesn't work.

In the next sentence, he informed me that he could no longer assist since I use Norton Ghost for backup and have restored the system which "voids support ". For this to continue, I must reinstall Windows 7 from "square one ".

The thing is that they have known for nine days that I use Norton Ghost but not until now, when he admits that he can't tell what's the problem, does he give me that load of "you know what ".

I have asked him to show me where in the license agreement it states that I can not use "imaging programs" for backup.