Microsoft Security Advisory 2915720

Changes in Windows Authenticode Signature Verification

Published: December 10, 2013 | Updated: July 29, 2014

Version: 1.4

General Information

Executive Summary

Microsoft is announcing the availability of an update for all supported releases of Microsoft Windows to change how signatures are verified for binaries signed with the Windows Authenticode signature format. The change is included with Security Bulletin MS13-098, but will only be enabled on an opt-in basis. When enabled, the new behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed. Note that Microsoft may make this a default behavior in a future release of Microsoft Windows.

Recommendation. Microsoft recommends that executables authors consider conforming all signed binaries to the new verification standard by ensuring that they contain no extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that customers appropriately test this change to evaluate how it will behave in their environments. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
Security Bulletin MS13-098 
General Information Introduction to Code Signing \ WinVerifyTrust function \ Authenticode Portable Executable Signature Format
Specific Information Windows Root Certificate Program - Technical Requirements

Advisory FAQ

What is the scope of the advisory? 
The purpose of this advisory is to inform customers of an optional change to how Microsoft Windows verifies Authenticode-signed binaries.

Why was this advisory revised on July 29, 2014?
This advisory was revised on July 29, 2014 to announce that the stricter Windows Authenticode signature verification behavior described here will be enabled on an opt-in basis and not made a default behavior in supported releases of Microsoft Windows.

How will Microsoft implement the stricter Windows Authenticode signature verification behavior?
On December 10, 2013, Microsoft released Security Bulletin MS13-098 to deploy the underlying code for stricter Authenticode Signature verification behavior. Previously, this advisory announced that by August 12, 2014 Microsoft would enable the changes implemented with MS13-098 as default functionality. However, as we worked with customers to adapt to this change, we determined that the impact to existing software could be high. Therefore, Microsoft no longer plans to enforce the stricter verification behavior as a default requirement. The underlying functionality for stricter verification remains in place, however, and can be enabled at customer discretion.

How can I enable the new signature verification behavior? 
Customers who would like to enable the new Authenticode signature verification behavior can do so by setting a key in the system registry. When the key is set, Windows Authenticode signature verification will no longer recognize binaries with Authenticode signatures that contain extraneous information in the WIN_CERTIFICATE structure. Customers can choose to disable the functionality at any time by disabling this registry key. See Suggested Actions below for instructions.

I enabled this change, do I need to do anything now that it will not be enforced by default?  Customers who have already enabled the stricter verification behavior, and have not experienced problems, can choose to leave the verification behavior enabled. Customers who are experiencing application compatibility problems with the new behavior, or customers who simply want to disable the new behavior, can disable the functionality by removing the EnableCertPaddingCheck registry key. See Suggested Actions below for instructions.

I did not enable this change, do I need to do anything now that it will not be enforced by default?
No. The stricter verification behavior that was installed with MS13-098 will reside on the system but will be dormant functionality until enabled.

Does the new verification behavior affect already-installed software?
The new stricter verification behavior, when enabled, applies primarily to portable executable (PE) binaries that are signed with the Windows Authenticode signature format. Binaries that are not signed with this format or that do not use WinVerifyTrust to verify signatures are not affected by the new behavior. Binaries most likely to be affected are PE installer files distributed via the Internet that are customized at time of download. The most common scenario in which users may perceive an impact is during the downloading and installation of new applications. This is the case only if customers have chosen to enable the stricter verification behavior, after which users may observe warning messages when attempting to install new applications with signatures that fail validation.

Does the new verification behavior impact AppLocker policies?
For customers who have chosen to enable the stricter verification behavior, any AppLocker rule that depends on files being signed, or expects a specific publisher, may be impacted if the signature on a file does not meet the stricter Authenticode signature verification requirements.

Does the new verification behavior impact Software Restriction Policies?
For customers who have chosen to enable the stricter verification behavior, any Software Restriction Policy that depends on files being signed, or expects a specific publisher, may be impacted if the signature on a file does not meet the stricter Authenticode signature verification requirements.

The new stricter verification behavior deems my binary non-compliant. What are my options?
If a binary is deemed non-compliant with the stricter Authenticode signature verification behavior, this will not be a problem on systems that have not had the new verification behavior enabled because Microsoft is not enforcing the stricter behavior by default. However, to correct problems with a binary failing validation on systems where the new verification behavior has been enabled, that binary will need to be re-signed with strict adherence to the Windows Authenticode Signature format and specifically not include extraneous information in the WIN_CERTIFICATE structure.

Is there any possibility of a signature being recognized as non-compliant with the stricter verification process if I sign using non-Microsoft-provided signing tools?
Yes. For customers opting to enable the stricter verification behavior, signing binaries with non-Microsoft-provided signing tools runs the risk of signatures being recognized as non-compliant with the stricter verification behavior. Using Microsoft products, or signature tools Microsoft provides, such as signtool.exe, helps to ensure that signatures are recognized as compliant.

What is Windows Authenticode? 
Windows Authenticode is a digital signature format that is used to determine the origin and integrity of software binaries. Authenticode uses Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode-signed binary to the identity of a software publisher. The term "Authenticode signature" refers to a digital signature format that is generated and verified using the WinVerifyTrust function.

What is Windows Authenticode signature verification?
Windows Authenticode signature verification consists of two primary activities: signature checking on specified objects and trust verification. These activities are carried out by the WinVerifyTrust function, which executes a signature check then passes the inquiry to a trust provider that supports the action identifier, if one exists. For more technical information regarding the WinVerifyTrust function, see WinVerifyTrust function.

For an introduction to Authenticode, see Introduction to Code Signing.

Suggested Actions

  • Review Microsoft Root Certificate Program Technical Requirements

    Customers who are interested in learning more about the topic covered in this advisory should review Windows Root Certificate Program - Technical Requirements.

  • Modify Binary Signing Processes

    After reviewing the technical details underlying the change in Authenticode signature verification behavior, Microsoft recommends that customers ensure that their Authenticode signatures do not contain extraneous information in the WIN_CERTIFICATE structure. Microsoft also recommends that executables authors consider conforming their Authenticode-signed binaries to the new verification standard. Authors who have modified their binary signing processes and would like to enable the new behavior may do so on an opt-in basis. See Windows Root Certificate Program - Technical Requirements for guidance.

  • Test the Improvement to Authenticode Signature Verification

    Microsoft recommends that customers test how this change to Authenticode signature verification behaves in their environment before fully implementing it. To enable the Authenticode signature verification improvements, modify the registry to add the EnableCertPaddingCheck value as detailed below.

    Warning Performing these steps to enable the functionality changes included in the MS13-098 update will cause non-conforming binaries to appear unsigned and, therefore, render them untrusted.

    Note If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    After installing the MS13-098 update, perform the following:

    For 32-bit versions of Microsoft Windows

    Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).

    Windows Registry Editor Version 5.00  
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
    "EnableCertPaddingCheck"="1"  
    

    You can apply this .reg file to individual systems by double-clicking it.

    Note You must restart the system for your changes to take effect.

    For 64-bit versions of Microsoft Windows

    Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).

    Windows Registry Editor Version 5.00  
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
    "EnableCertPaddingCheck"="1"
    
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
    "EnableCertPaddingCheck"="1"
    

    You can apply this .reg file to individual systems by double-clicking it.

    Note You must restart the system for your changes to take effect.

    Impact of enabling the functionality changes included in the MS13-098 update. Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.

    How to disable the functionality. Perform the following to delete the registry value previously added.

    For 32-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification.reg).

    Windows Registry Editor Version 5.00  
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
    "EnableCertPaddingCheck"=-
    

    You can apply this .reg file to individual systems by double-clicking it.

    Note You must restart the system for your changes to take effect.

    For 64-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification64.reg).

    Windows Registry Editor Version 5.00  
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
    "EnableCertPaddingCheck"=-
    
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]   
    "EnableCertPaddingCheck"=-
    

You can apply this .reg file to individual systems by double-clicking it.

Note You must restart the system for your changes to take effect.

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (December 10, 2013): Advisory published.
  • V1.1 (December 13, 2013): Corrected the registry key information in the Test the Improvement to Authenticode Signature Verification suggested action. Customers who have applied or plan to apply the suggested action should review the revised information.
  • V1.2 (February 11, 2014): Rereleased advisory as a reminder to customers that the dormant changes implemented with MS13-098 will be enabled on June 10, 2014. After this date, Windows will no longer recognize non-compliant binaries as signed. See the Recommendation and Suggested Actions sections of this advisory for more information.
  • V1.3 (May 21, 2014): Revised advisory to reflect new August 12, 2014 cut-off date for when non-compliant binaries will no longer be recognized as signed. Now, instead of a June 10, 2014 cut-off date, the dormant changes implemented with MS13-098 will be enabled August 12, 2014.
  • V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.

Page generated 2014-07-29 14:38Z-07:00.