I'm working with Windows Server 2008 R2 x64 Std. Edition, w/SP1, fully patched, in a security environment.
We run a security scanner (required by customer) to look for vulnerabilities on our systems. It keeps telling me that my machines have the following problems"
"Microsoft Windows Digital Security Vulnerability (20120710)" (Microsoft has updated their untrusted certificate list in order to blacklist several fraudulent digital certificates. Successful exploitation could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle (MITM) attacks.) Solution: "Install the appropriate patch from Microsoft or through Windows Update."
"Microsoft Revocation of Fraudulent Certificates (2798897)" (Microsoft has updated their untrusted certificate list in order to blacklist one fraudulent digital certificates issued by TURKTRUST Inc. Successful exploitation could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle (MITM) attacks.) Solution: "Install the appropriate patch from Microsoft or through Windows Update."
"Microsoft Windows Digital Certificate Vulnerability (20130403)" (Microsoft has updated their untrusted certificate list in order to blacklist several fraudulent digital certificates. Successful exploitation could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle (MITM) attacks.) Solution: "Install the appropriate patch from Microsoft or through Windows Update."
"Microsoft Unauthorized Digital Certificates Could Allow Spoofing (2982792)" (The remote host is missing KB2677070 or the latest disallowed certificate update using KB2813430. If KB2677070 is installed, it is missing the latest auto-updates.) Solution: "Ensure Microsoft AutoUpdater for revoked certificates (KB2677070) is installed and running or install and use KB2813430 to update the certificates offline."
The list of installed updates on my test server shows KB2677070 and KB2813430 both installed.
I have tried to get certificate updates from both my local WSUS server and directly from Microsoft Update. The scanner still reports those problems.
I have found references to something called 'IEXPRESS' packages to download and install the certificate updates manually, but I can't find any place to download those cert updates or any details on how to install them.
Can anyone point me in the right direction to get these certificates and certiificate trust lists and certificate revocation lists updated, hopefully with automatic updating in the future? "Install the appropriate patch from Microsoft or through Windows Update" is spectacularly UNhelpful. How do I 'use KB2813430 to install the certificates offline'?
Thanks in advance.