Microsoft is under no obligation to notify you or ask your permission before placing a new trusted root certificate on your Windows PC. That said, just last year Microsoft was caught in the embarrassing position of yanking 45 bogus certificates issued under the root certificate authority of the government of India's Controller of Certifying Authorities. Transparency in distributing new trusted root certs is a good thing.
A certificate expert who goes by the Twitter handle @hexatomium said in an article on GitHub over the weekend that Microsoft started pushing the new trusted root certificates earlier this month to "all supported Windows systems." It isn't clear how the root certs were pushed, but he does say Microsoft "did not announce this change in any KB article or advisory."
I can confirm, at least in my experience, that this is true: There doesn't appear to be any notification about the new root certs anywhere that I can find.
The names attached to the certs raise more than a few eyebrows:
GDCA TrustAUTH R5 ROOT CN
S-Trust Universal Root CA DE
Notarius Root CA CA
Certplus Root CA G1 FR
Swedish Government Root CA v2 SE
CCA India 2015 IN
MULTICERT Root CA 01 PT
Certplus Root CA G2 FR
OpenTrust Root CA G3 FR
OpenTrust Root CA G2 FR
OpenTrust Root CA G1 FR
GlobalSign Root CA - R6 US
Tunisian Root CA - TunRootCA2 TN
CCA India 2014 IN
WoSign ECC CN
WoSign G2 CN
The RXC-R2 US certificate has conspiracy theorists reaching for their space blankets, because nobody has heard of RXC-R2.
A Hacker News firestorm has ensued. Poster Mojah hits the nail on the head with his summary:
I think this demonstrates 2 very major problems with SSL Certificates we have today:
1. Nobody checks which root certificates are currently trusted on your machine(s).
2. Our software vendors can push new Root Certificates in automated updates without anyone knowing about it.
Mattias Geniar goes into detail about the ongoing problems with root certificates in his blog:
This just goes to show how fragile our system of trust really is. Adding new Root Certificates to an OS essentials gives the owner of that certificate (indirect) root privileges on the system.
It may not allow direct root access to your machines, but it allows them to publish certificates your PC/server blindly trusts.
This is an open door for phishing attacks with drive-by downloads.
Was this a willful attempt to secretly push new root certs on all Windows PCs, or just another Microsoft documentation glitch?
It'll be interesting to see the response from the 'Softies.