newsletter banner

ISSUE 20.16.F • 2023-04-17 • Text Alerts!Gift Certificates
You’re reading the FREE newsletter

Susan Bradley

You’ll immediately gain access to the longer, better version of the newsletter if you make a donation and become a Plus Member. You’ll receive all the articles shown in the table of contents below, plus access to all our premium content for the next 12 months. And you’ll have access to our complete newsletter archive!

Upgrade to Plus membership today and enjoy all the Plus benefits!

In this issue

PUBLIC DEFENDER: Windows 11 erases Windows 10 digital-signature fix

Additional articles in the PLUS issue • Get Plus!

INTERNET: How to manage your browser cookies

ONEDRIVE: When OneDrive isn’t OneDrive

PATCH WATCH: Apple and Microsoft fix April zero days

VideoProc Converter

Last Call for Spring Giveaway: Get $78.90 VideoProc Converter for Free

Experience GPU-accelerated video processing like never before with VideoProc Converter – the ultimate all-in-one solution that can handle it all!

  • Convert videos/audios/DVDs to 420+formats to enjoy media on-the-go
  • Seamlessly compress large videos from GB to MB to free up storage space
  • Bulk download 4K/HD videos from 1000+ UGC sites to watch offline
  • Cut, merge, crop, rotate and edit videos with the built-in Toolbox
  • Record screen and webcam with sound for added convenience

This offer is time-limited, so obtain your free license of VideoProc Converter for PC and Mac as soon as possible to benefit from all its incredible features


Windows 11 erases Windows 10 digital-signature fix

Brian Livingston

By Brian Livingston

A Registry tweak recommended by Microsoft to guard against malware in digitally signed files is wiped out in Windows 10 if you upgrade to Windows 11. As if that weren’t bad enough, at least one major software company has distributed to 600,000 customers worldwide a Trojan horse hidden in an executable file that’s certified by Microsoft’s very own digital signature.

The fact that malware can be inserted into an executable file — without invalidating the file’s digital signature — casts doubt on the whole idea that you can trust digitally signed files.

File Properties dialog without and with Registry tweak
Figure 1. (Left) Without the Registry tweak, a hacked DLL shows in its Properties dialog box a valid digital signature from the Microsoft Corporation. (Right) With the tweak, the dialog box shows that the hacked DLL has no Digital Signatures tab, indicating that the file has been altered. However, the tweak does not provide true security, as explained below.Source: BleepingComputer, orange callouts by author

As shown in Figure 1, one of the hacked files that was widely distributed, d3dcompiler_47.dll, appears in its Properties dialog box to have a legitimate digital signature from Microsoft. But if you add two short keys to the Registry in Windows 10 or 11, the Properties dialog box shows no Digital Signatures tab at all, indicating that the file’s original content has been altered.

Making the Registry change doesn’t actually protect you from hacked files that appear to have valid digital signatures. For one thing, the Registry tweak doesn’t prevent you from downloading and running a maliciously altered file, infecting your device. You would receive no warning.

I’ll show you the real problem and how to protect yourself from it.

Distributing malware files digitally signed by Microsoft is bad news

There’s an underlying stupidity here: Digitally signed executable files contain data areas that are ignored by Microsoft’s Authenticode verification scheme. These areas are supposed to contain the digital signature itself, followed by zeros. But instead of zeros, bad people can place within the so-called WIN_CERTIFICATE data structure any number of malware instructions. This is called Authenticode stuffing.

Way back in December 2013, Microsoft itself recognized how serious this hack could be. In that year’s Security Advisory 2915720, the company introduced a fix and notified the software industry that the firm would soon make the change mandatory:

When enabled, the new behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed. Note that Microsoft may make this a default behavior in a future release of Microsoft Windows.

Microsoft announced in the advisory that stricter Authenticode verification would become the default in Windows nine months later on August 12, 2014. However, Microsoft lost its nerve and amended its advisory in July 2014, before the change went into effect. The new advice was that the strict behavior would never become mandatory in Windows, because too many software developers were writing data into the “ignored” area:

However, as we worked with customers to adapt to this change, we determined that the impact to existing software could be high. Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement.

For instance, the Google Chrome installer for Windows writes into its digital-signature data area whether or not you left a box checked, agreeing that your usage data may be uploaded to a Google server. CERT security analyst Will Dormann explains this in a tweet thread.

Additional examples include the Dropbox installer and various other software products that were developed using Google’s Omaha code project, according to an excellent explanation by Kevin Jones. He’s the developer of Authenticode Lint, a tool to check digital signatures (GitHub).

The Authenticode weakness has been exploited by virus authors many times. But the bits really hit the fan on March 30, 2023, when 3CX, a major provider of VoIP telephone software, announced that hackers had turned two executable files in its Windows and Mac packages into Trojan-horse malware. Because the virus payload was in an area ignored by Authenticode, Microsoft’s digital signature still appeared valid. The Trojan, once loaded, contacted a bot server for instructions (see Figure 2).

Sophos diagram of Trojan horse infection
Figure 2. In step 1, hackers managed to gain access to 3CX code. In step 2, two Trojanized DLLs were included in 3CX’s software packages. In step 3, the ffmpeg.dll file calls the code in d3dcompiler.dll. Finally, the DLLs connect to the hackers’ server for instructions.Larger version and explanation at Sophos

3CX software is reportedly used by more than 600,000 companies worldwide. Over 12 million people make calls using its VoIP software on a typical day. 3CX’s customers include big names such as Air France, Coca-Cola, IKEA, McDonald’s, Toyota, and the UK National Health Service. Getting rid of the malware — which gave the hackers total control of a device — required 3CX’s customers to uninstall the client software on every individual machine. Yuck.

How to protect yourself against ‘dangerously signed’ software

Fortunately, antivirus companies recognized the strange behaviors coming out of 3CX’s software and started warning users — while blocking the malware.

The National Institute of Standards and Technology (NIST) has documented the threat and given it the identifier CVE-2023-29059. That document links to many antivirus companies whose software immediately halted the Trojan’s suspicious activity, including CrowdStrike, Fortinet, Huntress, and Sophos.

This particular Authenticode-stuffing attack is the work of the Lazarus Group, a state-supported North Korean team, according to numerous experts — including a tweet by Kaspersky malware researcher Georgy Kucherin.

For its part, Microsoft recommends that users employ the Redmond company’s own antivirus software rather than rely on the rather weak Registry tweak. The firm said this month in a statement (Dark Reading):

As a best practice, we encourage customers to apply all the latest security updates for better protection. In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat.

Quick action by many antivirus vendors helped to protect users and minimize infections. This included deleting from public servers the file repositories the Trojan had used as well as blocking the domain names the hackers employed for command-and-control purposes.

With the neutralization of the perps’ online resources, there’s little danger that the hackers can now command or control the Trojan to do anything. That leaves you with no reason to add the Registry tweak, since it provides little to no protection from infection. But if you want to experiment, Microsoft specifies the following Registry keys for 64-bit Windows installations:

  • Windows Registry Editor Version 5.00
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
  • “EnableCertPaddingCheck”=”1”
  • [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
  • “EnableCertPaddingCheck”=”1”

Follow these steps to add the keys to the Registry:

  1. Paste the above five lines into a text editor and save the file with a .reg extension.
  2. Double-click the .reg file to add the lines to the Registry.
  3. Restart your computer to assure the changes take effect.

Be sure to read Microsoft’s Security Advisory 2915720 for details on this procedure. For example, there’s a different file to use on 32-bit systems, and you should be aware that some software installers may fail when stricter Authenticode checking is in effect.

And if you add the Registry tweak to Windows 10, watch out if you upgrade to Windows 11. The new OS silently deletes your addition, and you must remember to apply it again. Sheesh.

Talk Bubbles Do you know something that we all should know? Tell me about it!
Send your story in confidence to
Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.


Here are the other stories in this week’s Plus Newsletter


Lance Whitney

How to manage your browser cookies

By Lance Whitney

Browser cookies can be helpful or harmful, depending on how and why they’re used in your browser. The key lies in taking control of them.

You probably already know that Web browsers use cookies to save certain information. Over the years, cookies have developed a bad rep because many websites and advertisers use them to track your online activities for the purpose of sending you ads and other targeted content.

But cookies can also help you by storing key details at websites that you frequently use. The trick here is knowing which cookies are good and which are bad, and how to manage them in general.


Will Fastie

When OneDrive isn’t OneDrive

By Will Fastie

You think you know what you’re talking about, and then reality hits you smack on the nose.

You may recall that I have two OneDrive instances — one belonging to me, my personal Microsoft 365 account, and one belonging to the 365 Business plan we use to run this operation.

I thought they were identical in every respect.


Susan Bradley

Apple and Microsoft fix April zero days

By Susan Bradley

Tomorrow is the tax-filing deadline in the US. It’s not the time to be installing updates, especially since we’re still at MS-DEFCON 2.

In other words, we’re still in deferral mode despite several newsworthy patching headlines and despite my not having noticed any significant side effects. As usual, I suggest patience until we know more.

The majority of the items of concern relate to businesses, not consumers. Here are some highlights.

Know anyone who would benefit from this information? Please share!
Forward the email and encourage them to sign up via the online form — our public newsletter is free!

Enjoying the newsletter?

Become a PLUS member and get it all!

RoboForm box

Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice.

PLUS, these exclusive benefits:

  • Every article, delivered to your inbox
  • Four bonus issues per year, with original content
  • MS-DEFCON Alerts, delivered to your inbox
  • MS-DEFCON Alerts available via TEXT message
  • Special Plus Alerts, delivered to your inbox
  • Access to the complete archive of nearly two decades of newsletters
  • Identification as a Plus member in our popular forums
  • No ads

We’re supported by donations — choose any amount of $6 or more for a one-year membership.

Join Today buttonGift Certificate button

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.