Microsoft Security Advisory (2749655)

Where are the updates for Windows 8 and Windows Server 2012? 
The updates for Windows 8 and Windows Server 2012 are included in the "Windows 8 Client and Windows Server 2012 General Availability Cumulative Update" (KB2756872). For more information and download links, see Microsoft Knowledge Base Article 2756872. These updates are also available from Microsoft Update and Windows Update.

What is the scope of the advisory? 
The purpose of this advisory is to notify customers of an issue involving binaries that were signed with digital certificates generated by Microsoft without proper timestamp attributes.

As a pre-emptive action to assist customers, Microsoft is providing a non-security update for supported releases of Microsoft Windows. This update helps to ensure compatibility between Microsoft Windows and affected software binaries.

Is this a security vulnerability that requires Microsoft to issue a security update? 
No. This update improves an existing defense-in-depth component for Microsoft customers to help improve security-related features in Windows.

This is a security advisory about a non-security update. Isn’t that a contradiction? 
Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that will determine your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

Microsoft is issuing an update for this component to improve long-term stability and compatibility for software and components that use the Windows Authenticode Signature Verification function.

What causes this issue? 
This issue is caused by a missing timestamp Enhanced Key Usage (EKU) extension during certificate generation and signing of Microsoft core components and software. Some certificates used for two months of 2012 did not contain an X.509 timestamp Enhanced Key Usage (EKU) extension.

What does this update do? 
This update will help to ensure the continued functionality of all software that was signed with a specific certificate that did not use a timestamp Enhanced Key Usage (EKU) extension. To extend their functionality, WinVerifyTrust will ignore the lack of a timestamp EKU for these specific X.509 signatures

If Microsoft is releasing a non-security update addressing this issue, why is Microsoft also re-releasing bulletins? 
The update addresses the majority of cases in which certificates use Windows Authenticode Signature Verification, such as when a file is viewed or executed in Windows or Internet Explorer. However, to ensure that all certificate use and validation functions are addressed, in addition, affected packages and software will be updated or rereleased to ensure that third-party CodeSign verification functions correctly.

What is the impact of not installing this update? 
Without this update, improperly signed files, such as executable images, would not be considered correctly signed after the expiration of the CodeSign certificate used in the signing process. For example, Windows Update will not install some security updates after the expiration date if this update is not installed. Other effects include, for example, that an application installer may display an error message. Third-party application whitelisting solutions may also be impacted.

When will the affected code-signing certificates expire? 
The CodeSign certificates have a variety of expiration dates. The earliest expiration date is in November 2012.

How are timestamp Enhanced Key Usage (EKU) extensions used? 
Per RFC3280, timestamp Enhanced Key Usage (EKU) extensions are used to bind the hash of an object to a time. These signed statements show that a signature existed at a particular point in time. They are used in code integrity situations when the code signing certificate has expired, to verify that the signature was made before the certificate expired. For more information about certificate timestamps, see How Certificates Work and Windows Authenticode Portable Executable Signature Format.

What is a digital certificate? 
In public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is an electronic credential used to certify the online identities of individuals, organizations, and computers. Digital certificates contain a public key packaged together with information about it - who owns it, what it can be used for, when it expires, and so forth.

Does this issue represent the compromise of the affected certificates? 
No. The affected certificates are not compromised in any way and we are not aware of any impact to customers at this time.

What is the Windows Authenticode Signature Verification function?
The Windows Authenticode Signature Verification function, or WinVerifyTrust, performs a trust verification action on a specified object. The function passes the inquiry to a trust provider that supports the action identifier, if one exists. The WinVerifyTrust function performs two actions: signature checking on a specified object and trust verification action. For more information, see WinVerifyTrust Function.

What impact does this issue have on developers? 
Developers can be affected by this issue when their applications use an affected redistributable. Applying this update on systems that use the developer's application will remediate the issue. Additionally, Microsoft will publish updated versions of affected redistributables. Developers should incorporate these into future updates to their applications.

Apply the update for supported releases of Microsoft Windows

The majority of customers have automatic updating enabled and will not need to take any action because the KB2749655 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install updates manually, Microsoft recommends that customers apply the KB2749655 update and any rereleased updates that address this issue immediately, either by using update management software or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2749655.