Microsoft Attack Surface Analyzer V1 (just released a day or three ago) Download is deemed unsafe by IE9 - Certificate invalid - can't import fix.

Question

Hi everyone,

If I go to http://www.microsoft.com/en-us/downl....aspx?id=24487 to get the download, when it completes, I get a message from the IE9 Download Manager that says it is unsafe.  If you go to the folder and check the installation file properties, you discover that the certificate is not valid.  If you try to import the certificate, it does make some minor changes to the certificate information (and adds a path sub-header which cannot be accessed, but it still sees it as not valid  (though the information LOOKS valid).  I note that in Certificate Advanced it says Version V2, but when I go to view certificate, in the details it starts by saying V3 - and I have no clue if this is part of the problem.  Is this something to be ignored, is it some kind of bug with IE9 or the certificate manager, or what?  I did scan the download with MSE and MBAM and both came up clean.  Anyone have any ideas?

Though I don't see why this would matter for a certificate issue, I'm using 32-bit Vista Business SP2 and IE9 with  - both fully updated.  SmartScreen Filter is on (obviously).  I have .NET Framework 4 Client Profile and .NET Framework 4 Extended installed (again, those seem more like making it work than security issues with the download due to certificate problems).  Yes, I understand I can only capture and not analyze with Vista - but that should be a limit of what it does - not a certificate security issue with the download.

I don't know how to get past this except to ignore the warning (after all, I did get it from the Microsoft Download site) - but I REALLY don't like downloads with certificate problems - even if from a trusted source.   I mean, when you think about it, perhaps the key point of this product is improved security and it doesn't bode well for such a product to start by ignoring a certificate validity warning just to install it.

Thanks for whatever help you can provide.

Kosh

Answer 1

Kosh, 
 
Thank you for your report. We have reproduced this issue on Vista SP2. We will post an update after we determine a resolution to this issue. In the mean time you can validate the current certificate with newer versions of Windows

Answer 2

Kosh,

We have reproduced the issue and identified the cause. It will be at least a few weeks before we have a chance to release a version signed with a certificate that does not have this issue in Vista. If you are interested in more detail let me know and we can arrange a time to discuss.

Answer 3

Hi Jimmie Lee,

Is marking this as an Answer now an indication that the problem is resolved for Vista (in which case I'll mark a response saying that it is resolved as the answer) or is this just clean-up of old threads by the Mod and the problem with Vista remains?  I was assuming I'd hear a response that it was resolved so I could try again and verify that rather than marking the answer and assuming I'll assume that means the problem is resolved and I'll go about testing it myself without actually hearing it was fixed (which I didn't really intend to do). 

My issue is that it's all well and good to say it can be tested on W7 or later machines, but that assumes I have them.  Otherwise, if the certificate can't be validated by Vista, in certain situations where later versions aren't available, the issue remains.  And I've no intention of testing a known issue over and over when a simple reponse that it's fixed would allow me to verify it with excellent chances of success.

Sorry.  I don't mean to be a PIT@, but the answer that gets marked here is "it's fixed" and I can verify that (and if so, will I need to download another copy or will the fix apply to the copy I originally downloaded) - not just marking an old thread with no notification given to me about it (especially since I'm likely the one who brought it to your attention as you needed to reproduce it which normally means you didn't know before then).

Thanks and I hope the reply is that it is resolved and I can move forward and shortly after my verification, mark this thread myself.

Kosh

Answer 4

Hi Kosh,

This was a cleanup by the mod and the problem with Vista still remains. We are still working on the solution and will update this thread when complete. Thanks for bringing this to my attention.