What Is Code Signing?
Code signing is a powerful way to verify who the developer is for a piece of software, and ensure that the code of executable files and scripts has not been changed or tampered with since it was signed. This technique has been used for over 30 years by the computer software industry to ensure that software can be safely installed and run on users’ computers.
However, for this to be an effective protection method, the operating system needs to have underlying mechanisms that detect when code that they are running or installing has invalid code signing signatures. The operating system is then responsible for warning the user of the problem or preventing the installation or execution of the incorrectly signed code altogether.
Therefore, computer users rely on companies like Microsoft (the maker of Windows) or Apple (the maker of macOS) to ensure that their operating systems protect against code with invalid code signing signatures.
Microsoft did not fix a known vulnerability for two years
A vulnerability in Microsoft Windows underlying code signing libraries was known and being exploited by malware authors for nearly two years. Known as the CVE-2020-1464 vulnerability, malware authors were able to exploit a spoofing vulnerability in the code signing evaluation method of certain files. The vulnerability allowed an attacker to execute malicious files using a valid signature from a trusted developer.
Details of the exploit
Security researchers from VirusTotal disclosed two years ago a spoofing vulnerability in Microsoft allowed an attacker to append a malicious JAR to a MSI file signed by a trusted software developer like Microsoft or Google, rename the resulting file with the .jar extension and have a valid signature according Microsoft Windows.
The vulnerability allowed an attacker to append a JAR file to a signed Windows Installer (.MSI) without changing the file’s signature—resulting in the file to appear to be a validly code signed file for Microsoft Windows, passing without any warning.
The technique was discovered by the VirusTotal Team in August 2018, but no reports of malware authors exploiting were available. Only in June this year, a security researcher reported that Java RAT malware authors such as Ratty and Adwind are exploiting the vulnerability to distribute malicious JAR appended to signed MSI files.
How can Venafi help?
The vulnerability in Microsoft file signature validation demonstrates strategic importance of leveraging code signing with attackers’ malicious activity. Even though in this case the vulnerability comes from a failure with the Windows code signing libraries, this is a good lesson for companies that distribute software as their product or use software for their internal business infrastructure. Attackers thwarted by your code signing efforts are now turning to stealing or misusing your unprotected code signing keys to sign their malware. And when they distribute it, the malware will LOOK like it comes from your company.
This attack stresses the importance of protecting not only code signing private keys, but also enforcing a process that limits the use of those keys. Furthermore, it provides a way for InfoSec to monitor EVERY code signing activity within your organization including what code was signed, when it was signed, who signed it, who approved the use of the key, which code signing tool was used to sign, and what computer performed the code signing operation.
How secure is your organization’s code signing process?