Microsoft Digital Certificates Once Again Abused To Sign Malware (arstechnica.com) 23
Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system. ArsTechnica: Multiple threat actors were involved in the misuse of Microsoft's digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.
The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected. The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks," company officials wrote.
The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected. The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks," company officials wrote.
signing is not vetting (Score:3)
We breath a sigh of relief when we go to a website or run an app with a valid signature. But at no time did anyone sit down and vet the software you are using. Frankly there isn't a good way to automate this, and Microsoft might want to sell us on the idea that they can provide more security. But in practice a consumer device running third-party applications is always going to be full of holes. We can't afford to pay what banks can pay for (more) secure systems, nor would we accept the limitations that such a system requires.
Re: (Score:2)
We can't afford to pay what banks can pay for (more) secure systems, nor would we accept the limitations that such a system requires.
It would be nice to at least have a secure system on the metal with our insecure operating systems in secure containers... That seems feasible. Qubes takes a stab at it, at least.
Re: (Score:3)
Banks talk a big game about security, but given how common it is to see them strictly enforcing poor password rules, only using SMS 2FA, lack of support for hardware keys, etc., it's hard to take them too seriously.
Re: (Score:2)
Well, the system as it is, hardware wise, is secure. The OS is secure, the UEFI is secure. The unsecure part here are the humans involved. Someone did not vet a particular third party well enough and handed out some signing capabilities too fast.
However, even in a very good system with very good controls, there is always the chance for a bad actor to screw up some part of it. The solution is to acknowledge that this can happen and have a way to stop or mitigate this. This should already exist - quickly
Re:signing is not vetting (Score:4, Funny)
If you think that most banks are making any extra effort to validate 3rd party software systems, I've got a bridge in Brooklyn I'd like to sell you.
Best,
Re: (Score:3)
The reference to a website is deeply flawed. This is about a vendor signature checked by their own systems. Sure, the software may not be very good (or actually pretty bad like every other large update by MS), and it may not come from MS originally, but what gets certified here is that this is the thing the vendor shipped. And that in particular means it goes in exactly this form to a lot of people and these will complain in case of problems. A stolen signing key does allow a specific kind of supply-chain a
Re: (Score:3)
Signatures work well, but they require trust. When signatures get rubber-stamped then the trust level goes down. And if those rubber stamps gets reproduced and then passed out to others without strict controls then the trust diminishes further. The chain of trust is eroded.
Now this is Microsoft's fault presumably. If not, then put the blame on the owner of the signing cert that was to blame. If Microsoft gave a signing cert to StupiSoft Games and the malware get signed by that cert or it's derivatives,
Re: (Score:2)
But in practice a consumer device running any application is always going to be full of holes
FTFY.
Code Signing simply means the code *probably* hasn't changed since the key signed it. It says absolutely nothing about security. (The signature is just the result of running all of the bits through some algorithm. It's not able to determine the "safety" of those bits. [wikipedia.org])
Essentially, code signing is two things: 1) A method for locking device owners out of the equipment that they paid for. (A.K.A. DRM) and 2) An attempt to handwave away the Halting Problem by handing out certificates with magic number
Crappy company is crappy. And insecure. (Score:3)
Seriously, your secret certificates, your signing keys, they need to be protected at all cost. If you do not understand that and make it happen, then you are a 3rd rated amateur shop, nothing else.
Re: (Score:3)
This is Microsoft we're talking about here. Providing programs and operating systems for decades that have repeatedly been trivially burgled.
Surely Lucy would never pull the football away again....never.
Re: (Score:2)
No argument. In many regards, MS _is_ a 3rd rated amateur shop. But as pressure from attackers and regulators rises, the cost of using MS products increases continually.
I already know on larger enterprise that has gone "MS free" and I know of a large bank that will move to all web applications for their internal use and terminals for their users. May take a few years until they get there though.
Re:Crappy company is crappy. And insecure. (Score:4, Informative)
Seriously, your secret certificates, your signing keys, they need to be protected at all cost. If you do not understand that and make it happen, then you are a 3rd rated amateur shop, nothing else.
This story is not about lost secret certificates. It is about weak review process in Microsoft which signs the drivers.
From the article:
Because most drivers have direct access to the kernel - the core of Windows where the most sensitive parts of the OS reside - Microsoft requires them to be digitally signed using a company internal process known as attestation.
The trick however, is to develop a driver that doesn't appear to be malicious to the security checks implemented by Microsoft during the review process.
Re: (Score:2)
Even with strict scrutiny, there is always the issue of a bad actor. That becomes a harder problem, though it can be mitigated. If Microsoft allows third parties to obtain a signing certificate then you worry about a bad actor at that third party. Even if Microsoft insists that all drivers be signed internally at Microsoft itself, you can have a bad actor within Microsoft (and not just at the C-level :-). So you mitigate that. Be ready to quickly revoke that signing cert and push out updates.
Which lead
Re: (Score:3, Informative)
The problem with MS updates is that they have made and continue to make every imaginable beginner's mistake possible. MS Updates can make you insecure, they can destroy your data, they can make your system unusable, they can get you unwanted ads on your system. By this incompetence and stupidity, MS has destroyed all trust in their updates. And then they made it worse and are trying to force their crap on people. Anybody sane is wary of MS updates and only installs them when there is a really good reason no
Re: (Score:2)
Well, if you just sign arbitrary stuff with your key, that is not any better than having it stolen. From what was signed, I concluded they must have had their keys stolen. On closer inspection, it turns out you are right, they signed the malware themselves willingly. That is so stupid that I did not even expect MS to fail in that way. These signatures have value and they need to have value in order to serve their goals. You cannot simply make the signing part of some automated service or some low-interactio
Re: (Score:2)
Re: (Score:2)
It's a layer of defense in that you can snip off the problem by revoking the certs. Depending upon how the drivers are actually implemented by Microsoft, you could potentially revoke the drivers themselves even if they got installed and ran a few times. Yes, there's a period of time in which the driver was able to be run on some computers, achieving 100% security is a distant and possibly unattainable goal.
Having multiple signing certs does help with security precisely because you can revoke just one of th
Yet another example... (Score:2)
This is why trust networks are a bad thing. It is far superior to design systems in which the cost to cheat exceeds what is practicable or profitable and trust is not required.
Re: (Score:2)
Definitely. Take Linux for example: If you try to put in a malicious driver there, you probably just get kicked out of that community permanently and get publicly shamed in addition. And because some actual people with a clue have to sign off on the source code (ever wondered why the Linux kernel team can afford that effort, but Microsoft apparently cannot?) and they will ask questions if something looks fishy or overly complicated, the risk of being found out is relatively high.
Re: (Score:2)
Right. Granted we are 'trusting' those people to have a clue and sign off but at the same time, we are NOT trusting them at all because everything they do is transparent. I don't trust the various organized crime groups, state hackers and information agencies, etc. None of them. Fortunately, they don't trust each other either and so long as that is the case I benefit from the collective distrust they all have for one another.
As a third party I don't have to trust ANY of these groups to do anything but look
Install the latest Windows updates (Score:2)
More shovelware. They couldn't just put out a ban list including these suspect certificates separately?