-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Changes in Windows Authenticode Signature Verification
11 December 2013
AusCERT Security Bulletin Summary
Product: Microsoft Windows
Operating System: Windows
Impact/Access: Reduced Security -- Unknown/Unspecified
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2915720)
Changes in Windows Authenticode Signature Verification
Published: Tuesday, December 10, 2013
Microsoft is announcing the availability of an update for all supported
releases of Windows to change how signatures are verified for binaries signed
with the Windows Authenticode signature format. The change is included with
Security Bulletin MS13-098, but will not be enabled until June 10, 2014. Once
enabled, the new default behavior for Windows Authenticode signature
verification will no longer allow extraneous information in the
WIN_CERTIFICATE structure. Note that after June 10, 2014, Windows will no
longer recognize non-compliant binaries as signed.
Recommendation. Microsoft recommends that by June 10, 2014, executables
authors ensure that all signed binaries comport with this new verification
behavior by containing no extraneous information in the WIN_CERTIFICATE
structure. Microsoft also recommends that customers appropriately test this
change to evaluate how it will behave in their environments. Please see the
Suggested Actions section of this advisory for more information.
Review Microsoft Root Certificate Program Technical Requirements
Customers who are interested in learning more about the topic covered in this
advisory should review Windows Root Certificate Program - Technical
Modify Binary Signing Processes by June 10, 2014
After reviewing the technical details underlying the change in Authenticode
signature verification behavior, Microsoft recommends that customers ensure
that their Authenticode signatures do not contain extraneous information in
the WIN_CERTIFICATE structure. Microsoft also recommends that executables
authors verify that their Authenticode-signed binaries conform to the new
verification requirements before June 10, 2014. Authors who have modified
their binary signing processes and would like to enable the new behavior prior
to June 10, 2014 may do so on an opt-in basis. After June 10, 2014, binaries
with signatures that do not conform to the new verification process will be
considered unsigned. See Windows Root Certificate Program - Technical
Requirements for guidance.
Test the Improvement to Authenticode Signature Verification
Microsoft recommends that customers test how this change to Authenticode
signature verification behaves in their environment by enabling it prior to
June 10, 2014. To enable the Authenticode signature verification improvements,
create (or modify) the system registry key and string value detailed below and
set the string value to "1" (setting the string value to "0", or deleting the
key, effectively disables the update):
Warning If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry Editor
incorrectly. Use Registry Editor at your own risk.
To enable the update:
EnableCertPaddingCheck = "1"
To disable the update:
EnableCertPaddingCheck = "0"
Note Enabling the update will cause non-conforming binaries to appear unsigned
and, therefore, render them untrusted.
Keep Windows Updated
Windows users should apply the latest Microsoft security updates to help make
sure that their computers are as protected as possible. If you are not sure
whether your software is up to date, visit Windows Update, scan your computer
for available updates, and install any high-priority updates that are offered
to you. If you have Automatic Updates enabled, the updates are delivered to
you when they are released, but you have to make sure you install them.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----