Skip to main content
banner image
venafi logo

Microsoft Fixes 2-Year-Old Spoofing Vulnerability after Malware Authors Exploit It in the Wild

Microsoft Fixes 2-Year-Old Spoofing Vulnerability after Malware Authors Exploit It in the Wild

September 30, 2020 | Yana Blachman
What Is Code Signing?

Code signing is a powerful way to verify who the developer is for a piece of software, and ensure that the code of executable files and scripts has not been changed or tampered with since it was signed. This technique has been used for over 30 years by the computer software industry to ensure that software can be safely installed and run on users’ computers. 

However, for this to be an effective protection method, the operating system needs to have underlying mechanisms that detect when code that they are running or installing has invalid code signing signatures. The operating system is then responsible for warning the user of the problem or preventing the installation or execution of the incorrectly signed code altogether. 

Therefore, computer users rely on companies like Microsoft (the maker of Windows) or Apple (the maker of macOS) to ensure that their operating systems protect against code with invalid code signing signatures. 

Microsoft did not fix a known vulnerability for two years

A vulnerability in Microsoft Windows underlying code signing libraries was known and being exploited by malware authors for nearly two years. Known as the CVE-2020-1464 vulnerability, malware authors were able to exploit a spoofing vulnerability in the code signing evaluation method of certain files. The vulnerability allowed an attacker to execute malicious files using a valid signature from a trusted developer.

It remained unpatched and undisclosed by Microsoft until August 2020. Microsoft patched the vulnerability only following news reports of active malware campaigns exploiting it in the wild. 

Details of the exploit 

Security researchers from VirusTotal disclosed two years ago a spoofing vulnerability in Microsoft allowed an attacker to append a malicious JAR to a MSI file signed by a trusted software developer like Microsoft or Google, rename the resulting file with the .jar extension and have a valid signature according Microsoft Windows. 

The vulnerability allowed an attacker to append a JAR file to a signed Windows Installer (.MSI) without changing the file’s signature—resulting in the file to appear to be a validly code signed file for Microsoft Windows, passing without any warning. 

The technique was discovered by the VirusTotal Team in August 2018, but no reports of malware authors exploiting were available. Only in June this year, a security researcher reported that Java RAT malware authors such as Ratty and Adwind are exploiting the vulnerability to distribute malicious JAR appended to signed MSI files.

How can Venafi help? 

The vulnerability in Microsoft file signature validation demonstrates strategic importance of leveraging code signing with attackers’ malicious activity. Even though in this case the vulnerability comes from a failure with the Windows code signing libraries, this is a good lesson for companies that distribute software as their product or use software for their internal business infrastructure. Attackers thwarted by your code signing efforts are now turning to stealing or misusing your unprotected code signing keys to sign their malware. And when they distribute it, the malware will LOOK like it comes from your company. 

This attack stresses the importance of protecting not only code signing private keys, but also enforcing a process that limits the use of those keys. Furthermore, it provides a way for InfoSec to monitor EVERY code signing activity within your organization including what code was signed, when it was signed, who signed it, who approved the use of the key, which code signing tool was used to sign, and what computer performed the code signing operation. 

How secure is your organization’s code signing process?

Related posts

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Yana Blachman
Yana Blachman

Yana is Threat Intelligence Specialist at Venafi and has worked in the field over the last 7 years. Yana’s expertise includes tactical and operational threat analysis, threat hunting, and Dark Web intelligence.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more