Windows 11 erases Windows 10 digital-signature fix

Topic

New Reply

ISSUE 20.16 • 2023-04-17 PUBLIC DEFENDER By Brian Livingston A Registry tweak recommended by Microsoft to guard against malware in digitally signed fi
[See the full post at: Windows 11 erases Windows 10 digital-signature fix]

8 users thanked author for this post.

abbodi86, ibe98765, lmacri, fisher75, WCHS, geekdom, DLivesInTexas, rc primak

Reply | Quote

Replies

It’s an ambiguous article? A registry tweak gets deleted when upgrading to Windows 11. But at the same time, that registry tweak doesn’t do anything to protect against- or signal malware. That leaves the question: what’s the problem?

The real problem, as far as I understand it, is not fixed. Thread actors can still add malware to signed executables – it’s up to the virusscanner to pick it up?

2 users thanked author for this post.

rc primak, b

Reply | Quote

So I read the article again and also the Security Advisory. It’s pretty clear to me now. The problem has been acknowledged and remedied by Microsoft many years ago. And then found out this ‘undocumented feature’ is used heavily throughout the industry. And so Microsoft backtracked – the fix is installed, but it’s up to the user to activate it (registry settings) and good luck!

In other words, Microsoft fixed a security problem – but not really – and let’s the user do the actual fixing on their own risk.

And then when Windows 11 came along, you know, the version that focuses on security, Microsoft decided to leave this security feature disabled, like they did with Windows 10. And in case you actually had activated the feature, Windows 11 was kind enough to disable is.

I didn’t know about this whole thing and that I am responsible for switching it on. And I guess lots of people don’t know about this problem?

1 user thanked author for this post.

geekdom

Reply | Quote

Will there be a Microsoft patch that will protect against this threat?

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

1 user thanked author for this post.

rc primak

Reply | Quote

Apparently not.

Too many installers include certificates with extra code in them. All would fail to work if enforcement were made strict with a security patch. The help desk impacts would be large. (per Microsoft, in the fixed reference links I posted in this thread) (Reply #2552719 )

I might consider using VirusTotal to screen all incoming installers before running them. Not a perfect solution, but the best I can imagine with my limited technical skills.

I certainly do not want to introduce yet another reason for my favorite software to fail to update. But I do want to know if something genuinely threatening is being included with any installer. Just getting a warning from the Smart Screen Reputation Service really does not solve the problem for me.

Is there a tool or program which can look at an installer’s certificate(s) and show all extraneous code contained in the certificate(s)?

More details here . Unfortunately, Google Chrome is one offender. That makes the fix suggested impractical for a lot of Windows users. What other installers many of us use which violate certificate rules, no one has said. Brian says there are “many” such installers. Not very encouraging if we really want secure Windows installers.

-- rc primak

2 users thanked author for this post.

ibe98765, geekdom

Reply | Quote

What if MSFT’s true intention is to force everyone to go to MSFT Store or to run programs only from Azure? Then this bug makes sense.

Reply | Quote

B. Livingston wrote:

Be sure to read Microsoft’s Security Advisory 2915720 for details on this procedure.

This link is broken.

The link to this article in the free newsletter also appears to be broken.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

b wrote:

B. Livingston wrote:

Be sure to read Microsoft’s Security Advisory 2915720 for details on this procedure.

This link is broken.

The link to this article in the free newsletter also appears to be broken.

I’m trying to read the article in the public newsletter, but the link “Read online” just loops back to itself.

Reply | Quote

Got it fixed.

Susan Bradley Patch Lady

Reply | Quote

It remains uncorrected here at the bottom of the article:

Be sure to read Microsoft’s Security Advisory 2915720 for details on this procedure. For example, there’s a different file to use on 32-bit systems, and you should be aware that some software installers may fail when stricter Authenticode checking is in effect.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

Microsoft Security Advisory 2915720 

Microsoft Security Bulletin MS13-098 – Critical

Are these the links we need?

 

-- rc primak

2 users thanked author for this post.

Will Fastie, geekdom

Reply | Quote

rc primak wrote:

Microsoft Security Advisory 2915720

The first one. Microsoft Security Advisory, matches the registry changes shown in the article.

Edited to add: The Microsoft Security Advisory was last updated: July 29, 2014.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

1 user thanked author for this post.

rc primak

Reply | Quote

Simon_Weel wrote:

And so Microsoft backtracked – the fix is installed, but it’s up to the user to activate it (registry settings) and good luck!

Progress takes a giant step backward. I’ve created a .reg file, but is it wise to employ it?

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

I enabled the optional fix, used the computer as usual throughout the day [two weeks ago], and did not run into any issues that made me regret my decision.

While this may cause an issue with some installers, like Google Chrome, not showing as signed, the added protection is worth the inconvenience.

Lawrence Abrams, Bleeping Computer

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

1 user thanked author for this post.

geekdom

Reply | Quote

A signed program is executing code stuffed into an unsigned, unused area in its signature.

And the problem is supposedly with the signature protocol, and not the program?

If it’s never executed, it doesn’t matter what a malware writer sticks in there. And if a signed program is doing anything with unsigned data — let alone executing it — without validating that data first, the program is faulty.

The authors of the signed program would almost have to be complicit in creating a backdoor for malware for that code ever to be run. Doesn’t kind of defeat the whole purpose of signing if you can’t trust them not to do things like that?

Reply | Quote

The registry fix might best be referred to as “half-loaf better than none”; I’ve implemented the registry fix.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

Hey Y’all,

This piqued my interest so I did a little digging.

References:
https://blog.netwrix.com/2022/12/16/alternate_data_stream/
https://powershellcookbook.com/recipe/XilI/interact-with-alternate-data-streams

NOTE: ADS = Alternate Data Stream

Access Streams:

Command Prompt:

 
     *** Write data to secret stream ***
C:\WINDOWS\system32>Echo "This im my ADS stream named SECRET That CANNOT be seen by Notepad or other tools." > G:\BEKDocs\Transfer\passGAN-128x72.png:secret

     *** Read secret stream ***
C:\WINDOWS\system32>more < G:\BEKDocs\Transfer\passGAN-128x72.png:secret
"This im my ADS stream named SECRET That CANNOT be seen by Notepad or other tools."

     *** Clear secret stream ***
 C:\WINDOWS\system32>Echo. > G:\BEKDocs\Transfer\passGAN-128x72.png:secret
 
     *** Attempt to read cleared stream ***
C:\WINDOWS\system32>more < G:\BEKDocs\Transfer\passGAN-128x72.png:secret

C:\WINDOWS\system32>

PowerShell:

 
#------------------------------- Code --------------------- 
Clear-Host
"     *** Set new value to ADS Secret ***`n"
$SCArgs = 
  @{Path  = "G:\BEKDocs\Transfer\passGAN-128x72.png:secret"
    Value = "PowerShell ADS stream named SECRET"
    ErrorAction = "SilentlyContinue"}
Set-content @SCArgs 

"     *** Read new value from ADS Secret ***`n"
Get-Content $SCArgs.Path  
#----------------------------End Code --------------------- 

Results:

  
     *** Set new value to ADS Secret ***

     *** Read new value from ADS Secret ***

PowerShell ADS stream named SECRET

#------------------------ Show all Streams ----------------
 
PS> Get-Item -Path "G:\BEKDocs\Transfer\passGAN-128x72.png" -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::G:\BEKDocs\Transfer\passG
                AN-128x72.png::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::G:\BEKDocs\Transfer
PSChildName   : passGAN-128x72.png::$DATA
PSDrive       : G
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : G:\BEKDocs\Transfer\passGAN-128x72.png
Stream        : :$DATA
Length        : 7993

PSPath        : Microsoft.PowerShell.Core\FileSystem::G:\BEKDocs\Transfer\passG
                AN-128x72.png:secret
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::G:\BEKDocs\Transfer
PSChildName   : passGAN-128x72.png:secret
PSDrive       : G
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : G:\BEKDocs\Transfer\passGAN-128x72.png
Stream        : secret
Length        : 36
#------ Note: Restored this file from File History
#------       and this stream no longer existed!
PSPath        : Microsoft.PowerShell.Core\FileSystem::G:\BEKDocs\Transfer\passG
                AN-128x72.png:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::G:\BEKDocs\Transfer
PSChildName   : passGAN-128x72.png:Zone.Identifier
PSDrive       : G
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : G:\BEKDocs\Transfer\passGAN-128x72.png
Stream        : Zone.Identifier
Length        : 191
 
#-------------------------- End Show All Streams  ---------------

Further exploration revealed that the Zone.Identifier is
associated with the Mark of the Internet. I tested a file
that had not been unblocked as follows:

PS> Get-Item -Path "\\ComputerMentor2\CMShared\NAS-Downloads\Test\Revosetup.exe" -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads\Test\Revosetup.exe:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads\Test
PSChildName   : Revosetup.exe:Zone.Identifier
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : \\ComputerMentor2\CMShared\NAS-Downloads\Test\Revosetup.exe
Stream        : Zone.Identifier
Length        : 141

PSPath        : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads\Test\Revosetup.exe::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads\Test
PSChildName   : Revosetup.exe::$DATA
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : \\ComputerMentor2\CMShared\NAS-Downloads\Test\Revosetup.exe
Stream        : :$DATA
Length        : 6969656

Google Chrome Installer: — Doesn’t show signs of second stream —

PS> Get-Item -Path \\ComputerMentor2\CMShared\NAS-Downloads\ChromeSetup.exe -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads\ChromeSetup.exe:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads
PSChildName   : ChromeSetup.exe:Zone.Identifier
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : \\ComputerMentor2\CMShared\NAS-Downloads\ChromeSetup.exe
Stream        : Zone.Identifier
Length        : 391

PSPath        : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads\ChromeSetup.exe::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::\\ComputerMentor2\CMShare
                d\NAS-Downloads
PSChildName   : ChromeSetup.exe::$DATA
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : \\ComputerMentor2\CMShared\NAS-Downloads\ChromeSetup.exe
Stream        : :$DATA
Length        : 1343320

Google Chrome: — Doesn’t show signs of second stream —

  
PS> Get-Item -Path "C:\Program Files\Google\Chrome\Application\Chrome.exe" -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Program 
                Files\Google\Chrome\Application\Chrome.exe::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Program 
                Files\Google\Chrome\Application
PSChildName   : Chrome.exe::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Program Files\Google\Chrome\Application\Chrome.exe
Stream        : :$DATA
Length        : 3211544

Still can’t seem to find where the Digital Signatures are stored!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Still can’t seem to find where the Digital Signatures are stored!

SignTool is a command-line tool that digitally signs files, verifies the signatures in files, and time stamps files and is available as part of the Windows SDK, which you can download from Windows SDK.
Verify command option /a:
Specifies that all methods can be used to verify the file. First, SignTool searches the catalog databases to determine whether the file is signed in a catalog. If the file isn’t signed in any catalog, SignTool attempts to verify the file’s embedded signature. We recommend this option when verifying files that might or might not be signed in a catalog. Examples of files that might or might not be signed include Windows files or drivers.

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB

Reply | Quote

RetiredGeek wrote:

This piqued my interest so I did a little digging.

Did you discover anything useful?

RetiredGeek wrote:

NOTE: ADS = Alternate Data Stream

How is that, or your following seven code boxes, related to Authenticode?

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

b,

True, but none of them show any indication of a digital signature that could be checked by sight for possible trailing code.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Where is the digital signature stored when code signing a exe file in windows?

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

1 user thanked author for this post.

oldfry

Reply | Quote

EXE files (binary executable, like DLL, etc.) are classified as portable executables (PE) and as such contain a PE header which specifies the location of the signature within the file.

The signature itself is stored in the main data stream (look towards the end of the stream.)  IIRC, the signature only considers the data stream/ ignores any alternate data streams that may exist.

I didn’t read this article closely, but the article I saw earlier today made this vulnerabilty sound like a typical loader issue (meaning the signature verifies the EXE when the OS creates the process, but the malicious code is injected into the process after creation. It’s been that way forever on Windows.  Don’t let malicous code run with enough privileges to inject code into another process….  I think they’re trying to highlight a signature verified tool that can load (DLLs?) without validating the DLL signatures, but again that is just buggy code and I’ve seen many tools on Windows do that since forever…

1 user thanked author for this post.

geekdom

Reply | Quote

Sometimes it’s difficult to tell the difference between buggy and malicious. However, buggy can be manipulated to be malicious.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

Just my 2 cents but it sounds, and has been sounding like Win 11 is a bigger nightmare than Win 10.  Why even bother with Win 11 when Win 10 is supported until 2025?  Oh yeah, it’s a new toy to play with.  Play?

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

Reply | Quote

Microsoft is a security target due to the enormity of their user base, security whack-a-mole for microsoft and end-users with end-users avoiding microsoft’s junkware and dispicable tactics ontop, let the fun and games continue..You couldn’t make this up!

Wile E Coyote and Roadrunner, looney tunes and merry melodies spring to mind.
(although cartoons were FAR more entertaining)

Keeping IT Lean, Clean and Mean!

1 user thanked author for this post.

Charlie

Reply | Quote

Microsoft been playing wack a mole with security for as long as I can remember. I give Microsoft credit for trying, but clearly Windows being such a big target and having two version Windows 10 and 11 being supported has got to be a mess keeping things straight. Besides how many upgrade to Windows 11 from 10 and then decide to downgrade back to Windows 10. What is potentially lost in that transition?

1 user thanked author for this post.

Charlie

Reply | Quote

I still don’t understand the problem. I understand that it would be possible to place arbitrary data, including executable instructions, in the Authenticode block, and it would not invalidate the signature. So… what?

If the data is code, I fail to understand under what bizarre circumstances this code would be executed. It would have to be an intentional back door in the signed program.

If the signed program depends on this data to the extent that this dependence creates a security risk (whether the data is code or something else), the program is faulty — or the programmers have intentionally created a back door.

Why is this a security issue with Authenticode, or with Windows? If it’s a security issue at all, the issue is with the applications using unsigned data for security-sensitive operations. Microsoft can’t fix stupid (or malicious, once it has a signing certificate).

Reply | Quote

Mike wrote:

It’s been that way forever on Windows. Don’t let malicous code run with enough privileges to inject code into another process…. Microsoft been playing wack a mole with security for as long as I can remember. I give Microsoft credit for trying, but clearly Windows being such a big target and having two version Windows 10 and 11 being supported has got to be a mess keeping things straight.

So true. This has been used by everyone from script kiddies to black hackers  to extreme government supported hackers for years. No one at MS cares to address it since it will take using their brain cells.

John wrote:

It’s been that way forever on Windows. Don’t let malicous code run with enough privileges to inject code into another process…. Microsoft been playing wack a mole with security for as long as I can remember. I give Microsoft credit for trying, but clearly Windows being such a big target and having two version Windows 10 and 11 being supported has got to be a mess keeping things straight.

There are so many ways to get elevate privileges in Windows that is too fun that MS says that it focus on security. Windows has way to exploit the OS to give privileges either system or ADMIN which anyone can do without any additional software installed. After that, there are exploits depending what software is installed.

Over 15 years now, it has come that those that want security have move to Linux. Linux has its problems but it is more secure than Windows by a factor of 30 from my experience.

Those that do not care about security or are non-tech savvy stay with Windows.

 

 

Reply | Quote

MS no security change to Linux NOW wrote:

There are so many ways to get elevate privileges in Windows that is too fun that MS says that it focus on security.

Please provide some examples.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

Create, on a consistent basis, an image backup.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote