Please tell me I’m dreaming. While working on the new version of CTLInfo (screenshot below), I ran across an unexpected and rather scary finding: A key security component of Windows, the so-called ‘Disallowed’ CTL, has a validity of 15 months and is going to expire in 25 hours.
Running certutil -verifyCTL disallowed indeed confirms it on my Windows 10 machine, but like the author, I have no idea what this means. If it really is what it looks like… Wow.
.. when it expires it’ll get a new one. No?
According to the blog post, it’s supposed to get a new one every day and, when it does, that new one is supposed to be valid for 15 months.
Either Microsoft hasn’t been pushing updates or the expiry date has remained constant (meaning that, when the deadline hits, the servers could be pushing updates with an expiry date earlier than the date they were generated).
Edited 2015-09-23 03:53 UTC
That’s not at all what the article says.
It says it’s about to expire, and that he hopes it is updated before it does.
I just ran it on my Windows 10 Pro, and got this..
[DisallowedCTL]
ListIdentifier = “DisallowedCert_AutoUpdate_1”
SequenceNumber = 01d0f584a9ad12f7
ThisUpdate = “9/22/2015 5:18 PM”
NextUpdate = EMPTY
SubjectAlgorithm = 1.3.6.1.4.1.311.10.11.15, “disallowedHash”
SignerExpiration = “8/14/2016 12:13 PM”, “326.2 Days”
CTLEntries = 57
The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND) — http://ctldl.windowsupdate.com/
msdownload/update/v3/static/trustedr/en/disallowedcert.sst
MissingCerts = 57
Looks like the expiration is extended to next year, but cert is not found… so maybe Windows resets its expiration automatically even without the cert being found?
This was all just a big misunderstanding by the person who “discovered” this.
The disallowed CTL is checked for updates once a day (unconditionally). The resulting CTL is signed for a period of 1 year, i.e. it is valid for 1 year. It still gets checked daily to see if it changes though…
The reason it was going to expire was because the signature was going to expire, not because the CTL itself was old or had not been checked for updates recently.
When a CTL changes they re-sign it with the same expiration it had before (the hash changes, but not the expiration). The hash is what tells Windows that it needs to update.
The windows update servers simply rekey and bump the expiration up by one year when it reaches its EOL.
So what that guy was seeing was that his disallowed CTL was signed with a signature that would expire in 1.1. days. It was last changed on 03/23/2015 (the last time the CTL actually changed). Windows was and still is checked for updates everyday – there just had not been one since March…
So what you saw was that the signature on the CTL file in windowsupdate finally got renewed, which also changed the hash, which prompted you to pull a new copy. Thing is the contents (the 57 disallowed certs), had not changed – the only reason you pulled the update was because of the signature change. This will happen again in 1 year – you may not even get a single update in that time, youll only pull an update if a new disallowed cert is added (which is infrequent).
I.e. there is nothing to see here… Everyone can move along
Edited 2015-09-23 23:00 UTC