InfoPost - WUA v7.6.7600.256 / What's up with this update anyway?

In order to ensure a high level of service quality, reliability, and operation, Microsoft must occasionally do some maintainance work to the Windows updating systems (MU/WU/WSUS) by updating the infrastructure of the Windows Update service. While these so called "infrastructure updates" are important for the WU service to run properly, they may not occur so often but maybe once a year, though the latest one (WUA v7.6.7600.256) took place 3 years after its preceding one - the now-old WUA v7.4.7600.226 (released September 2009).

The Old Windows Update Agent:

For further information in respect to the now-old WUA v7.4.7600.226 you may refer to the KB946928 article found here > http://support.microsoft.com/kb/946928 which includes old files information and links to download that expired (but maybe current enough?) version of the WUA.

Would point out that "at this point in time", this is the only WUA installer available for download, as there is no standalone installer (yet) of the latest and current WUA (v7.6.7600.256). Please note that same KB946928 (ignore its title) was last reviewed on June 8, 2012 just to notice this fact.-

Notice:

"There is no standalone installer of the latest version of the Windows Update Agent (7.6.7600.256). The following are instructions on how to obtain version 7.4.7600.226 of the Windows Update Agent.

For more information about the latest version of the Windows Update Agent (7.6.7600.256), please go to this location: http://support.microsoft.com/kb/949104

If you have automatic updates turned on in Windows, the latest version of the Update Agent will automatically be installed on your computer.

To install the latest version of the Update Agent, visit Windows Update here:  http://www.update.microsoft.com ".-

The New Windows Update Agent:

Please note that the new WUA version 7.6.7600.256 was created on June 2, 2012 but released on a "staged roll-out" basis that began (I think) around June 14, 2012. It was announced by the Windows Update Team on June 6, 2012 (Update to Windows Update, WSUS Coming This Week) posted here >  http://blogs.technet.com/b/mu/archive/2012/06/06/update-to-windows-update-wsus-coming-this-week.aspx

Full details (as published) including new files information, etc.. are found in KB949104 which was last reviewed on June 8, 2012. See here >  http://support.microsoft.com/kb/949104

As mentioned before, because (as of to-date) there is no standalone installer of the new version, the only way to get it installed on your system is through the WU channel by either visiting the WU or MU websites, or by keeping the Automatic Updates (AU) feature turned on.

Same as with past WU infrastructure updates, anytime Windows Update (or Automatic Updates) is turned on, Windows Update will take care of updating itself by automatically installing the latest version.

The Windows Update or Automatic Updates client software must be updated, or you may not be able to successfully check for updates or perform other configured actions. If Windows Update or Automatic Updates is enabled to automatically check for updates, download updates, or install updates on your computer, then the infrastructure update will be downloaded and installed automatically. Your computer will not be updated if you have disabled Windows Update (or Automatic Updates) and do not check for updates.

Please also note that this update/upgrade will not change your current Windows Update or Automatic Updates settings, either set to automatically install updates or notify you to install available updates.

But what's with the update anyway?

It's normal procedure as part of the upgrade process to update both the back-end infrastructure that supports the service as well as the client side code, i.e. the Windows Update agent or client. On this opportunity however, it seems it took more than this as it happened that Microsoft discovered back in (I think) late May 2012, that some components of a serious malware known as "Flame" were signed by unauthorized certificates (affecting 3 real Microsoft signed certificates) that could allow software to appear "as if" it was produced by Microsoft. See more information about it here:

=> Microsoft Security Response Center > "Microsoft Releases Security Advisory 2718704" - Posted Jun 3, 2012 4:41 PM >

http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx 

=> Microsoft Security Research & Defense > "Microsoft certification authority signing certificates added to the Untrusted Certificate Store" - Posted Jun 3,  2012 5:55 PM > http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

Further detailed information of the situation can be found here:

=> Microsoft Security Response Center > "Security Advisory 2718704: Update to Phased Mitigation Strategy" - Posted 4 Jun 2012 4:11 PM >

http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx

=> Microsoft Security Research & Defense > "Flame malware collision attack explained" - Posted 6 Jun 2012 8:57 AM >

http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx

=> Microsoft Security Response Center > "Security Advisory 2718704: Collision attack details, WU update rollout" - Posted 6 Jun 2012 11:00 AM >

http://blogs.technet.com/b/msrc/archive/2012/06/06/security-advisory-2718704-collision-attack-details-wu-update-rollout.aspx 

As explained on the above linked blogposts, MSRC's research revealed that... a vulnerability existed on a MS signed certificate that chained up to a Microsoft Root authority that could (without the updates being applied) allow potential attackers - with the ability to perform a "collision attack" - to forge such a certificate that would be valid for code signing as having been produced by MS, and thus it could be used to attack all versions of Windows systems.

Without said collision attack however, it would have still been possible to sign code, but that would validate only on systems pre-dating Windows Vista, as that signed code would fail validation on Windows Vista and above.

In either case, an attacker must get his signed code onto the target system and this could be done if the client’s Automatic Update program receives the attacker’s signed package as trusted as it was signed with a MS certificate (a faked one in this case). Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.

So to summarize, MS implemented a phased mitigation strategy to "harden" Windows Update (WU) and Windows Server Update Services (WSUS) infrastructures based on two actions taken as a defense-in-depth precaution and to provide additional protection for customers.-

First action was taken on June 3, 2012 by releasing an update with the Security Advisory 2718704 (Unauthorized Digital Certificates Could Allow Spoofing) that prevents unauthorized certificates from being used to attack Windows systems. The update revokes the trust of 2 intermediate CA certificates (the irregular certificate and all certificates from the involved certificate authorities were invalidated). 

Security Advisory 2718704 can be found here >  http://technet.microsoft.com/en-us/security/advisory/2718704

Following broad adoption of KB2718704, second action was implemented with the new update to the Windows Update Client (WUA v7.6.7600.256) that introduced two changes: A hardening of the WU and WSUS infrastructures so that the Windows Update client will only trust files that are signed by a new certificate issued by the Microsoft Update certification authority and that is used solely to protect updates to the Windows Update client; and in a similar way, a strengthening of the communication channels used by WU/WSUS.

As mentioned above, details on the changes made to the WU client can be found at KB949104 here > http://support.microsoft.com/kb/949104 

and more details on the update for WSUS users can be found at KB2720211 here > http://support.microsoft.com/kb/2720211 

Other related updates made available:

- KB2677070 Released June 12, 2012 (An automatic updater of revoked certificates is available).-

In addition to Junes' security updates, MS have released a non-security update to make available an automatic updater feature for Windows Vista and Windows 7 untrusted certificates. Users of WinXP and below would still need to check on WU and install the root certificate updates when they are made available. This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted. With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy.

More information and download location can be found at KB2677070 here > http://support.microsoft.com/kb/2677070

- KB2728973 Released July 10, 2012 (Unauthorized Digital Certificates Could Allow Spoofing).-

In addition to Julys' security updates, MS have released a high-priority non-security update, as a pre-emptive protection action, to move 28 certificates that do not meet standards for security practices into the Untrusted Certificate Store.

More information and download location can be found at KB2728973 and SA2738973 here > http://support.microsoft.com/kb/2728973  and 

http://technet.microsoft.com/en-us/security/advisory/2728973 

Hope this info is of any assistance to all users of the Windows Update Forum.

======================================================================================

Disclaimer: I'm not a MS employee, MVP, not even an expert - I had 2 medals, now I don't have not a single star!

The collected information is provided "AS IS" based on the original MS articules linked herewith.

This is an Info-Post-Only thread. Other than to provide any Feedback, please do not reply to this Thread, but should you require any assistance related to this topic, do not hesitate to open your own thread making sure to provide as much information as you can regarding issues you are experiencing. Thanks.

    HOW TO begin your own, new thread about your computer & your problem

    http://answers.microsoft.com/en-us/Page/faq#faqGettingAnswers5

======================================================================================