Expiring digital signatures and rereleased updates

A reasonable amount of confusion appears to have arisen after Microsoft re-released the latest roll-up updates for Exchange 2007 SP3 and Exchange 2010 SP1 and SP2 on October 9. Only one piece of additional functionality is included in the new software (KB2756987, a fix that ensures the correct search results are provided to Outlook 2010 and Outlook 2013 clients), so it’s not the case that Microsoft suddenly discovered some lingering bug or horrible problem that they had distributed in error in the original releases.

Instead, as we find out in the Microsoft Security and Defense blog, the root cause that forced the rerelease is a “clerical error made in code-signing” that  meant that the digital signatures applied to the software will expire prematurely. Once a digital signature expires, the software is no longer trusted by the WinVerifyTrust function used by Windows to validate software. The blog isn’t explicit as to exactly when the signature expires, preferring to say that “it occurs in the next few months”.

The recommendation from Microsoft’s security team is as follows:

We encourage all customers to apply the re-released, re-signed security updates as they become available.  As an additional defense-in-depth measure, we recommend that customers also apply the updated WinVerifyTrust package which serves as an effective way for Windows and Microsoft applications to extend the validity period of these packages beyond the premature expiration date.  We should be clear that the re-released, re-signed security updates by themselves are sufficient to address the potential compatibility issue and the WinVerifyTrust package is not strictly necessary - it is offered as a defense-in-depth option to customers who want to ensure that this issue does not affect them between now and the time they apply the updated security updates.”

The meaning of the advice is pretty straightforward – download and install the updates. However, Exchange 2010 SP2 RU4 was released in mid-August and Microsoft typically releases a new roll-up update every six weeks or thereabouts. Lots of attention was given to MEC during September and this might have delayed the release of the next roll-up update a tad, as might work to prepare legacy versions for the imminent arrival of Exchange 2013, but even so it’s reasonable to expect that new code should be available soon. If that’s the case, then it should be sufficient to download and deploy that code as it should be properly signed.

Arguing against this view and to follow the advice to download and install the updated releases, you might say that it takes an organization considerable effort to validate and test any new roll-up update before releasing the new code into production. This is absolutely true and there is no way that I would ever encourage that you rush a roll-up update into production, if only because of the fact that Microsoft has started to introduce new (and sometimes surprising)functionality in these updates. It might well be the case that your test process takes long enough for the digital signatures on the original updates to expire, and who knows what might happen then?

The safer course of action seems to be to download and apply the rereleased code. You should still test it before allowing the code into production but with only one new fix introduced, it’s reasonable to expect that the testing should be faster and easier than for a completely new roll-up update.

At the end of the day, the decision about what to do when Microsoft releases a security update probably comes down to a spirited discussion between the operations, security, and messaging teams in any company (in some companies, these functions might be covered by one or two individuals). It’s all in your hands.

P.S. (12 October): For those who have Windows Management Framework (WMF) 3.0 installed on your Exchange 2010 SP2 servers, you might like to check this TechNet forum post for details of a problem that some have encountered when they attempt to install Exchange 2010 SP2 RU4-v2. Thanks to @Thom_Bomb for letting us know.

Follow Tony @12Knocksinna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.