A ten-year-old Windows vulnerability is still being exploited by hackers to make it appear that executables are legitimately signed, with the fix from Microsoft still “opt-in” after all these years.
The vulnerability, known as CVE-2013-3900, was first disclosed by Microsoft in 2013 and allows adding content to an executable’s Authenticode signature section (WIN_CERTIFICATE structure) in a signed executable without invalidating the signature.
As a result, even after modifying the file, Windows still shows it as correctly signed by Microsoft.
The vulnerability has been used in recent attacks, including a 3CX supply chain and a Zloader malware distribution campaign in January.
Microsoft made the fix optional, likely because it would invalidate legitimate, signed executables that stored data in the signature block of an executable. However, this has left Windows users vulnerable to supply chain attacks where DLLs used by the Windows desktop application are replaced with malicious versions that download additional malware to computers, such as an information-stealing trojan.
The fix can only be enabled by manually editing the Windows Registry, and even if enabled, it will be removed once you upgrade to Windows 11, making your device vulnerable again.
As a result, most developers are not aware of the flaw, and they look at a malicious file and assume it’s trustworthy as Windows reports it as being so. While enabling the optional fix may cause an issue with some installers not showing as signed, the added protection is worth the inconvenience.
BleepingComputer reached out to Microsoft about the continued abuse of this flaw and it only being an opt-in fix but has not received a reply. Dormann, a senior vulnerability analyst at ANALYGENCE, warned that when a fix is optional, the masses aren’t going to be protected.
Microsoft should fix the flaw, even if those inconveniences developers. The fact that the vulnerability has been exploited by numerous threat actors for almost ten years indicates the urgency of the issue.
