Installer tampering while preserving authenticode signature 

Published on

Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature.

This issue was reported by Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech). After verifying Mr. Zhang’s report, we released an updated version of InstallBuilder and notified our existing customers so they could re-build and re-release their installers.

Background

Authenticode is a Windows technology designed to ensure executable files cannot be tampered with. It allows for adding unauthenticated attributes post-signing without invalidating the signature, as described in the following article: https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/caveats-for-authenticode-code-signing/ InstallBuilder installers created with versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid.

Remediation

InstallBuilder customers should re-build and re-release their installers using version 19.7.0 or later. Because this issue can be exploited with existing binaries already released, they should also remind their users to only download installers from official sources. Additionally, providing a hash (such as SHA-256) for the binaries enables customers a secondary way of ensuring the integrity of the installers: while the Authenticode signature may still be valid, modified installers will have a different hash.

A ‘hard revocation’ of the customer Authenticode signing certificate is an optional, alternative step. Unfortunately it has many practical limitations. In addition to invalidating potentially modified installers, it will invalidate legitimate installers, including existing deployments of customer’s application binaries that may have been signed with the same certificate. Even with a revoked certificate, various versions of Windows will still allow binaries to be executed.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5530 to this issue.Bitrockengineers have evaluated this issue to have a CVSSv3 score of 6.7

Bitrockwould like to thankYoufu Zhang’s for responsibly reporting this issue to us.

You can download the latest version of InstallBuilderfrom our download page.If you have any questions regarding this security issue, or if you need any help with upgrading your installer,please do not hesitate to contact BitRock Support through email at support@bitrock.com or through our Help Desk.

Conclusion

Given the potential impact of this security issue,we urge our users to upgrade and re-build their installers as soon as possible.