Windows binaries generated with versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature.
This issue was reported by Zhang of Security Research Lab (@). After verifying Mr. Zhang’s report, we released an updated version of and notified our existing customers so they could re-build and re-release their installers.
Authenticode is a Windows technology designed to ensure executable files cannot be tampered with. It allows for adding unauthenticated attributes post-signing without invalidating the signature, as described in the following article: https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/caveats-for-authenticode-code-signing/ installers created with versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid.
customers should re-build and re-release their installers using version 19.7.0 or later. Because this issue can be exploited with existing binaries already released, they should also remind their users to only download installers from official sources. Additionally, providing a hash (such as SHA-256) for the binaries enables customers a secondary way of ensuring the integrity of the installers: while the Authenticode signature may still be valid, modified installers will have a different hash.
A ‘hard revocation’ of the customer Authenticode signing certificate is an optional, alternative step. it has many practical limitations. In addition to invalidating potentially modified installers, it will invalidate legitimate installers, including existing deployments of customer’s application binaries that may have been signed with the same certificate. Even with a revoked certificate, various versions of Windows will still allow binaries to be executed.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5530 to this issue. engineers have evaluated this issue to have a CVSSv3 score of 6.7
would like to thank Zhang’s for responsibly reporting this issue to us.
Given the potential impact of this security issue, we urge our users to upgrade and re-build their installers as soon as possible.