Microsoft Windows doesn’t have a good way to handle digital certificates that have been tampered with, Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, said Tuesday at the company’s North American Virus Analyst Summit in San Francisco.
One problem is that it doesn’t clearly indicate when such certificates have been tampered with, he said.
This could make it difficult to stop malware that uses digital certificates that have been altered. That will eventually impact the reputation-based approach antivirus vendors are now taking to keep users secure.
Redmond’s Digital Cert Issues
The Stuxnet worm, which surfaced last month, used fake Verisign digital certificates issued to hardware manufacturer Realtek Semiconductor. That certificate was revoked by Microsoft and Verisign.
Microsoft issued an out-of-band security update, MS10-046, to address the flaw on Tuesday.
“Stuxnet led me to investigate how Windows is handling signed files,” Kaspersky Lab’s Schouwenberg said.
He took a legitimate software package and removed the signature of the digital certificate it contained, then installed the package on his computer. The Installer application didn’t indicate that the certificate had been modified. Schouwenberg had to drill down into the file’s digital properties in order to discover that the signature had been removed.
“Only an expert will be able to detect a problem,” Schouwenberg said. “And all Microsoft will tell you is that the file is not signed.”
Microsoft should indicate the certificate was tampered with and the user should not run the file, Schouwenberg asserted.
“What’s the point of having a digital certificate when the operating system doesn’t indicate someone has tampered with it?” Schouwenberg asked.
“It seems that Microsoft is focused on user experience over security,” Ryan Permah, manager of product security at McAfee, told TechNewsWorld.
A Clear and Possibly Present Danger
The revocation of the fake Realtek certificate only means that no new software can be signed with that certificate. However, software that was previously signed with it may still be floating around.
End users who receive a file signed with the revoked Verisign certificate from Realtek will have no indication that the certificate has been revoked, Schouwenberg pointed out.
“Microsoft must improve its handling of signed files,” Schouwenberg said. “The way Windows is doing this now is very sub-optimal.”
Improved signed file handling will lead to better security, Schouwenberg told TechNewsWorld.
“Other malware which uses tampered certificates could be stopped more easily in its tracks,” he explained.
The Other Side of the Story
Microsoft doesn’t generally use certificates for application control, McAfee’s Permah pointed out.
“Implementing this would break a variety of applications, and Microsoft have had a long history of not requiring applications to be signed,” Permah explained.
Apple does use certificates for its iPhone platform, and this has helped reduce malware, but “Apple controls the entire ecosystem down to who can develop apps and how apps are distributed,” Permah remarked. “Microsoft doesn’t have this luxury, nor would it really want to do this as it stifles innovation.”
Another issue with implementing digital certificates is that they’re not used by all vendors, and even those who do use them may make mistakes, Permah said.
Trust Me in the Morning
The problem with fake signed certificates is that they engender a false sense of trust, Kaspersky Lab’s Schouwenberg warned.
“Stealing VeriSign certificates constitutes an attack against security software as well as the user because the VeriSign certificate is typically the hardest one to come by, so antivirus products put a lot of trust in those certificates,” Schouwenberg said.
Fake certificates undercut the reputation-based approach many antivirus software vendors use to protect their customers online. Increasingly, security packages will scan URLs returned when users do an online search, for example, and indicate how safe the site to which the URL links is. They do this by referring to trust databases that compile information about the reliability of a website.
“Given the increasing weight that’s being put on reputation, I’m strongly convinced that this is only the beginning,” Schouwenberg said. “Let’s do as much as we can in advance and mitigate this issue as much as possible before it becomes a huge problem,” he added.