A Whopper of a Security Flaw with Code Signing Certificates RRS feed

  • Question

  • Either I'm missing something, or Microsoft has let a whopper of a security flaw slip by.

    I noticed, while code signing my own applications using signtool, that I was able to resign an application already signed.  I didn't really pay too much attention as this was convenient, right?  I mean I didn't have to recompile the app to create an unsigned app ready for signing, did I?

    But that got me to thinking ... I shouldn't be able to do this with someone else's application, should I?

    But Guess What ... I can.  I just signed an application from a well known software house with my own code signing certificate, using signtool.  I did this just as a test and have since deleted the copy of the .exe file that I used for this test.

    Am I wrong in stating that this SHOULD NOT be possible?

    What do you think?

    13 November 2012 Update:

    I just tried this with a program called WinWord.exe published by Microsoft Corporation.  After signing WinWord.exe with MY code signing certificate, this test copy of WinWord.exe shows ME as the verified publisher and NOT Microsoft.

    Doesn't anyone at Microsoft find this even a little disconcerting?

    And doesn't this whopper of a brain-fart on Microsoft's part make the whole code signing certificate system a big joke?

    Charles S. Cotton

    Tuesday, November 13, 2012 4:51 AM


  • I am not going to continue this discussion with you, Sheng.  In the future, please stay out of my threads.

    Charles S. Cotton

    • Marked as answer by Charles Cotton Wednesday, November 14, 2012 7:27 AM
    Wednesday, November 14, 2012 7:27 AM

All replies

  • Allowing a file to be signed twice is not a security flaw. What you are thinking is making a man-in-the-middle attack but defending that is not the purpose of code signing. The code signing CAs do not make this kind of promise. 

    Quote from http://www.verisign.com/support/contact/code-signing-misuse/index.html:

    Symantec code signing certificates are used by software publishers to assure their customers that software they distribute has not been altered or damaged after it is signed. 

    In fact Microsoft uses this approach in its WHQL driver and Windows Store app certification process. A file must be signed with an OEM certificate before submitting to Microsoft, then Microsoft signs with its own certificate that Windows Update or Windows Store recognize. Without the possibility of signing the file the second time, those processes won't work.

    The signing is just to ensure the user the files are not changed after signing. It has no indication that the signed code is original, bug free or secure (think about the number of bugs/ security holes found in signed softwares each year). Signing is not Microsoft-specific. For example you can sign your email but the signing is only confirming the email is sent from you, it does not check if you just copied the content from another signed email.

    Visual C++ MVP

    Tuesday, November 13, 2012 3:16 PM
  • That's nice, Sheng, BUT

    It should not be possible for entity A to code-sign entity B's application that has already been signed by entity B.

    The verity of this should be clear to anyone who cares to give it some thought.  It's an example of logic 101.

    Unfortunately, your email example just muddles the issue.  Please don't do that.  This is an important issue and I would appreciate it if you would refrain from your typical deflections and redirections, Sheng.  Don't you have some real work you could be doing?

    Charles S. Cotton

    Tuesday, November 13, 2012 3:30 PM
  • No as long as you give the file to the public, you cannot prevent others to replace the signature, as you must give out your public key to validate the signature and the original content for properly consuming the data. 

    I don't see how signing code is different from signing email. Maybe you want a false sense of security, don't educate your customers like that. Data is just data, as long as you can read the data, you can make a copy of it, then sign with another certificate. Code signing is not a method that protects from man-in-the-middle attacks. People don't call an unauthorized signing a vulnerability, it is actually a higher level of security because the signature would be verified as yours. Any sane person seeing a certificate that says you published MS Word would know you are lying. It is only a security issue if you can somehow hack Microsoft's server and sign your files using Microsoft's private key.

    Maybe you want to read http://en.wikipedia.org/wiki/Code_signing.

    Visual C++ MVP

    Tuesday, November 13, 2012 3:59 PM
  • You're wrong, Sheng and I wish you'd stay out of my threads.  This is the second time I've made this request.

    You always change the subject and muddle the issue.  Now I'm going to have to re-post this in a new thread.  Please stay out of it !!!

    I wish you'd find something better to do with your time than pissing on every tree in the forest.

    Please respect my request that you stay out of my threads...

    Charles S. Cotton

    Tuesday, November 13, 2012 4:40 PM
  • you have the freedom of speech, but don't expect others will do as you said. since when you deserve special treatment? i don't read the thread starter's name, and i guess most people don't. 

    now, do some homework before making bold claims like this. it is discussed countless times elsewhere, i found a few in newsgroups and stackoverflow in seconds. Your concern is not baseless, just a misconception on what a code signing can and cannot do. In fact Microsoft uses what you are describing as security flaw in its WHQL and Windows Store programs to make sure the authenticity of files. 

    Visual C++ MVP

    Tuesday, November 13, 2012 5:43 PM
  • Sheng,

    That's the same arrogant thing you said last time.

    Put my name on a post-it and staple it to your forehead.

    That might help you remember.

    Charles S. Cotton

    Tuesday, November 13, 2012 7:02 PM
  • Sorry, I don't think your name has any kind of importance anywhere. It is you who are arrogant to refuse to accept the purpose of a code signing certificate when presented to you. If code signing replacement is forbidden WHQL and Windows Store won't work. 

    Visual C++ MVP

    Tuesday, November 13, 2012 8:26 PM
  • I am not going to continue this discussion with you, Sheng.  In the future, please stay out of my threads.

    Charles S. Cotton

    • Marked as answer by Charles Cotton Wednesday, November 14, 2012 7:27 AM
    Wednesday, November 14, 2012 7:27 AM
  • If you want to prove who first created an executable, the protocol is to send the hash of the executable to a trusted 3rd party who timestamps and signs the combined hash and timestamp.

    Thursday, November 15, 2012 2:53 AM