Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

          Changes in Windows Authenticode Signature Verification
                             11 December 2013


        AusCERT Security Bulletin Summary

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory (2915720)

Changes in Windows Authenticode Signature Verification

Published: Tuesday, December 10, 2013

Version: 1.0

General Information

Executive Summary

Microsoft is announcing the availability of an update for all supported 
releases of Windows to change how signatures are verified for binaries signed
with the Windows Authenticode signature format. The change is included with 
Security Bulletin MS13-098, but will not be enabled until June 10, 2014. Once
enabled, the new default behavior for Windows Authenticode signature 
verification will no longer allow extraneous information in the 
WIN_CERTIFICATE structure. Note that after June 10, 2014, Windows will no 
longer recognize non-compliant binaries as signed.

Recommendation. Microsoft recommends that by June 10, 2014, executables 
authors ensure that all signed binaries comport with this new verification 
behavior by containing no extraneous information in the WIN_CERTIFICATE 
structure. Microsoft also recommends that customers appropriately test this 
change to evaluate how it will behave in their environments. Please see the 
Suggested Actions section of this advisory for more information.

Suggested Actions

Review Microsoft Root Certificate Program Technical Requirements

Customers who are interested in learning more about the topic covered in this
advisory should review Windows Root Certificate Program - Technical 

Modify Binary Signing Processes by June 10, 2014

After reviewing the technical details underlying the change in Authenticode 
signature verification behavior, Microsoft recommends that customers ensure 
that their Authenticode signatures do not contain extraneous information in 
the WIN_CERTIFICATE structure. Microsoft also recommends that executables 
authors verify that their Authenticode-signed binaries conform to the new 
verification requirements before June 10, 2014. Authors who have modified 
their binary signing processes and would like to enable the new behavior prior
to June 10, 2014 may do so on an opt-in basis. After June 10, 2014, binaries 
with signatures that do not conform to the new verification process will be 
considered unsigned. See Windows Root Certificate Program - Technical 
Requirements for guidance.

Test the Improvement to Authenticode Signature Verification

Microsoft recommends that customers test how this change to Authenticode 
signature verification behaves in their environment by enabling it prior to 
June 10, 2014. To enable the Authenticode signature verification improvements,
create (or modify) the system registry key and string value detailed below and
set the string value to "1" (setting the string value to "0", or deleting the
key, effectively disables the update):

Warning If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot 
guarantee that you can solve problems that result from using Registry Editor 
incorrectly. Use Registry Editor at your own risk.

To enable the update:

EnableCertPaddingCheck = "1"

To disable the update:

EnableCertPaddingCheck = "0"

Note Enabling the update will cause non-conforming binaries to appear unsigned
and, therefore, render them untrusted.

Keep Windows Updated

Windows users should apply the latest Microsoft security updates to help make
sure that their computers are as protected as possible. If you are not sure 
whether your software is up to date, visit Windows Update, scan your computer
for available updates, and install any high-priority updates that are offered
to you. If you have Automatic Updates enabled, the updates are delivered to 
you when they are released, but you have to make sure you install them.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967