14 new trusted root certificates added to Windows in unannounced update

[Batu69]

My monitoring scripts raised an alert a few days ago: Microsoft has just quietly updated its Root CTL (Certificate Trust List), increasing its size to 356 roots.

The official channels, which normally announce and document such updates well in advance, are oddly silent about this one, and the new CTL is already being pushed to all Windows systems (including servers).

 

A quick RCC scan (shameless plug!) highlights the following entries as new:

1e0e56190ad18b2598b20444ff668a0417995f3f    LU    LuxTrust Global Root 2
5463283b6793ff55277cede39098e80422f912f7    CO    AC Raiz Certicamara S.A.
3143649becce27eced3a3f0b8f0de4e891ddeeca    TR    TUBITAK Kamu SM SSL Kok Sertifikasi  Surum 1
e252fa953feddb2460bd6e28f39ccccf5eb33fde    HR    SZAFIR ROOT CA2
3f0feb17a7ef5804cfd90a77b7bb021ea69c6418    GR    BYTE Root Certification Authority 001
a69e0336c4e59023ff653c71f928eb73f21c00f0    CA    Carillon Information Security Inc.
d99b104298594763f0b9a927b79269cb47dd158b    TW    ePKI Root Certification Authority - G2
81ac5de150d1b8de5d3e0e266a136b737862d322    TW    ePKI Root Certification Authority - G2
c3197c3924e654af1bc4ab20957ae2c30e13026a    US    SSL.com Root Certification Authority ECC
b7ab3308d1ea4477ba1480125a6fbda936490cbb    US    SSL.com Root Certification Authority RSA
4cdd51a3d1f5203214b0c6c532230391c746426d    US    SSL.com EV Root Certification Authority ECC
1cb7ede176bcdfef0c866f46fbf980e901e5ce35    US    SSL.com EV Root Certification Authority RSA
d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092    PL    Certum Trusted Network CA 2
d496592b305707386cc5f3cdb259ae66d7661fca    ES    ACA ROOT

Trusting new CAs is always a big deal, so advanced users and enterprise admins may use the above list to research these new roots and decide which ones they actually want to trust. And I'm currently working on a trust store hardening product, which will make it easy to drastically reduce your exposure to unnecessary CAs. Stay tuned! 

 

Article source

[straycat19]

We were notified of these certificate additions because Microsoft cannot touch our machines directly.  We use System Center Configuration Manager which only allows us to make changes to our systems.  The advantage of using that system is we control everything that goes on a computer, and can pick and choose which updates and changes we install.  We manage the root certificate store and only allow the ones we need.  Root certificates are a primary concern in securing systems, since a fraudulent certificate can allow malware or remote access to the system unknowingly.