Other issues in this category (70)
The power to sign—who can you trust?
Tuesday, March 2, 2021
Most (if not all) managers can usually draw up documents in their companies, but not all of them have the power to sign these documents—only those employees who take responsibility for the decisions voiced in the signed documents have this right. This seems logical. A similar situation can also be seen when it comes to software.
Anyone can create a program, including a malicious one. There are even training courses whose authors promise to teach everyone that is interested to create malicious programs. A user cannot be sure that a program they receive is not a malicious. And we would like to have a guarantee!
In the case of a software program, electronic signatures are just such a guarantee. They verify the program in the same way a notary verifies a document with their signature. These signatures indicate, in particular, that the program has not been changed since it was signed and has maintained its integrity, and that no possibly malicious code was injected into it. The signature requirement for programs imposes certain obligations on their developers and requires certain expenditures, but it pays off because it provides additional user safety.
An electronic signature can be verified by the operating system upon program launch and by other software—in particular, the Dr.Web anti-virus.
But there is a rather interesting nuance: The person who verifies the signature decides what to do next with the signed file.
For example, MS Windows checks whether loaded drivers have signatures. We agree, this action is reasonable and useful. That’s because after downloading a driver, a cybercriminal or a malicious software program can potentially do whatever they want in the system.
But it's not enough to understand whether a file has been changed since it was signed—it is important to find out whether you can trust the one who signed it. For example, Microsoft took a drastic approach and ended its support for all third-party root certificates with signatures in kernel mode. Existing certificates with the opportunity to sign the kernel-mode code will work until they expire; after this, they will become invalid. Now, one needs to register in Windows Hardware Dev Center to sign a driver.
On the one hand, this action is correct: the company is taking responsibility. On the other—it can also control access to the signing system. And at any moment, the company can decide (or someone else can decide for it, having included certain sanctions with which the company will have to comply) who has the right to work in the operating system, and who—doesn't. Scary.
"All developers who wish to have their kernel-mode drivers included in Windows must follow the procedures outlined by the Microsoft Hardware Development Team"
As for ordinary executable files, for most commercial software, they are digitally signed. Here is a simple example. If a user searches for a certain program on the Internet, there is no guarantee that the first result will be the site belonging to its developer. And it is far from certain that the program being offered for download will be original and not modified by hackers. In this case, it would be a good thing if the operating system gets involved into the process.
By default, when applications (those that require elevated privileges) are launched, Windows verifies the signature by UAC (User Account Control). And if the signature is invalid, the system does not restrict the program’s launch, but only flags it for having an unknown publisher.
However, if a modified executable file is launched without UAC (e.g., Chrome.exe), a system that is configured by default won't respond to this change in spite of the already invalid digital signature. To manually verify the file’s digital signature, one needs to go to a separate tab in its properties and view the certificate.
Thus, the OS does not restrict the launch of executable files that have been modified (including by hackers or malicious software), leaving the decision to the user.
What will the user do in most cases after seeing a warning about an attempt being made to run a file without a signature if it has just been downloaded? That's right—the user will click on OK. If they did not disable UAC before that.
The Anti-virus Times recommends
Should an ideal system inform users about a modified executable file, thereby increasing their awareness and encouraging developers to produce a signature? Or by default, should the OS give maximum freedom to the user, allowing them to decide whether they need security at the cost of settings and warnings?
It so happened that Windows is leaving security to the user’s discretion. As previously mentioned, the operating system barely does anything to prevent the launch of files with an invalid digital signature, and the only warning is the UAC which also does not directly prohibit the modified files from being launched.
And here’s one more problem. Is it possible to rely only on a valid signature? Probably not. The user does not know who signed the file and how.
For example, Trojan.ShadowHammer. A cybercrime gangstole the signature and used it to sign the infected executable file of a very popular vendor. The file, downloaded from the official site, contained malicious code. Its signature was considered to be valid until that fact was discovered. After that, the vendor withdrew the certificate.
Signatures are a significant factor in terms of security, but they still do not give a 100% guarantee of security. Under certain circumstances, a file’s modification (virus infection) potentially won't affect the safety of a signature. For example, vulnerabilities in the operating system or application components (that control the integrity of a signature) can be exploited. Windows CVE-2020-16922 (a patch released in October) is a rather recent example—attackers managed to use a valid signed MSI archive-installer and "glue" it with a malicious file, while maintaining a valid digital signature. The signature is present, but it concerns part of the file.
Another example involves Android. Our specialists found one such vulnerability that allows cybercriminals to modify files without affecting the signature.
So we recommend that you use an anti-virus. All files should be scanned when they’re being downloaded and when they’re being launched. You cannot rely on an operating system to not run a file that has been modified by hackers.