Monday 15 December 2014

Microsoft problem patch, breaks future patching of certificates

In addition to the normal Patch Tuesday series of security of updates from Microsoft, we also saw an additional security bulletin released that addressed a vulnerability in the Windows Root certificate Program in Windows

The initial security bulleting released in the form of a Microsoft Knowledge base article KB3004394 attempted to resolve a polling issue with the certificate update process, detailed by Microsoft here;
"The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Usually, a client computer polls root certificate updates one time a week. After you apply this update, the client computer can receive urgent root certificate updates within 24 hours." 
To get more information on this process, you can read about the polling process in the Microsoft KB article found here KB931125 

Unfortunately, this update to the certificate polling process has broken the polling update process. Microsoft has now revoked the KB article KB3004394 with the following information:
"this update is causing additional problem on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. The KB 3004394 update does not cause any known problems on the other systems for which it is released. We recommend that you install the update on the other systems."

An update is now available to remove the Microsoft update KB3004394 from Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers which you can find here KB3024777

So, just to be clear. If you installed KB3004394, you need to install KB3024777. Or you will not receive updates to your certificates via the automated Microsoft update service.

No comments: