Recent changes to the Microsoft certificate landscape will have a significant impact on the processes related to local publishing and third-party updates for customers using WSUS for these type of updates -- all complements of the Flame malware discovered in May.
First, KB2718704 (http://technet.microsoft.com/en-us/security/advisory/2718704) was released on June 3rd to revoke three Microsoft certificates that were identified as compromised as a result of the Flame investigation, and is discussed in detail in these articles:
Second, KB2720211 (http://support.microsoft.com/kb/2720211) provided an update to the WSUS server which rolled up a couple of previous WSUS hotfixes, one of which affected local publishing, but more significantly, updated the certificate infrastructure for WSUS, and provided a new Windows Update Agent (v7.6.7600.256) which has enhanced security regarding how it trusts certificates for selecting and installing Windows updates.
Third, KB2661254 will be released on Patch Tuesday, August 14, 2012, and will invalidate all pre-existing certificates that use key-lengths of less than 1024 bits. This will include ALL WSUS self-signed local publishing certificates that were created prior to installing KB2720211.
As a result of these updates you should immediately plan for the following:
1. Ensure KB2718704 is installed to all systems.
2. Ensure KB2720211 is installed to all of your WSUS servers. (Note: This update is not trivial. Please refer to the KB article, the TechNet WSUS Forum, and the related blog post for guidance.)
3. Once KB2720211 has been successfully installed to all WSUS servers, you will need to create a *NEW* WSUS self-signed publishing certificate. This action will create a new 2048-bit certificate.
4. Distribute this certificate to your client systems.
Then consider your existing published third-party updates in your WSUS infrastructure. Those updates will continue to be installable by your client systems until such time as KB2661254 is installed. You should make an effort to expedite the deployment of these updates to wherever they may be needed. The installation of KB2661254 will invalidate the previous WSUS self-signed publishing certificates and render all of your existing third-party updates as uninstallable.
For those updates you no longer need to deploy, you should use whatever tools available to you to expire or delete those updates. At a minimum you should decline those updates to ensure they are not accessible to client systems.
For those updates that you still need to have available, you should expire those updates and then wait 24 hours to ensure all client systems have received that change in approval status from the WSUS server. If you have downstream WSUS servers, you may wish to wait 48 hours. Following the expiration of those updates, you can then delete them from your WSUS servers. If you do not have the ability to expire or delete updates, at a minimum you should decline them.
Then, republish any of those updates using the newly created (post-KB2720211) 2048-bit WSUS self-signed publishing certificate.
Sign Up For News & Tips