Digital signatures are widely used in various places on the Internet. We use digital certificate encryption when browsing websites and digital signature verification when installing software.
Software developers usually use digital certificates to sign the software. If the software is tampered with, the signature will be lost, thereby reminding users to install carefully.
This is also true of the digital signature spoofing vulnerability announced by Microsoft in August that has attracted a lot of attention. Attackers can use the vulnerability to forge the verification interface of a digital certificate.
This vulnerability was discovered by hackers in the wild for two years before being discovered and repaired at the same time. However, this month Microsoft again announced a security vulnerability regarding digital signature spoofing.
The CVE-2020-16922 vulnerability announced by Microsoft this month is a digital signature spoofing vulnerability. A spoofing vulnerability exists when the system incorrectly verifies the signature of a file. Attackers can use this vulnerability to bypass security features and load files that are not properly signed.
To put it simply, the vulnerabilities are that the attacker uses the digital signature of legitimate software to package malicious software and bypass Microsoft’s certificate verification function.
For example, the attacker can combine the formal software packaged with the digital signature MSI and the CAT catalog file, so that the system still displays the correct digital signature.
Under normal circumstances, the combination of the same or different signed regular software and unsigned software should not pass the verification, and the vulnerability can allow it to pass the verification.
This leads to malicious files that can also bypass various security checks through digital signature verification, which may pose a threat to end-users, especially enterprise users.
Currently, related signature spoofing vulnerabilities have been fixed by Microsoft, and Microsoft urges users to install the latest cumulative update to ensure that these vulnerabilities will not be exploited again.
As a security measure, Microsoft also updated the security policy of Microsoft Defender. The new security policy will strengthen the detection and identification of digital signatures for such software.
Any abnormal situation will cause the digital signature to fail to complete the verification, and other security measures of the system will follow up to check to ensure the safety of the software.
Microsoft said it recommends that users enable the cloud-based protection and automatic sample submission of Microsoft Defender antivirus software, that is, automatic sample submission.
After enabling this function, Microsoft uploads the unrecognizable software to the cloud, strengthens the detection through artificial intelligence and machine learning, and returns the recognition result to the system.