SHA1 signed *.exe will be warned after you installed latest Windows patch

Started by BenYeeHua, January 13, 2016, 05:26:29 PM

Previous topic - Next topic

BenYeeHua

SHA1 signed *.exe that you download from the Internet will be warned by SmartScreen after you installed windows patches that released on Jan 12, 2016, so you should see some Installer or Portable software that downloaded will be warned about unknown publisher by SmartScreen. :P

If you facing this issues, you may want to inform about this to the publisher/developer, so that average user that don't know anything about signature will still "feel safe" to install the software. ;D

And don't worry, Bitsum's Products don't affected by this, as it is prepared for this plan. :)
---
On the browser side, I am not sure about Chrome, but Firefox has forced to enable back SHA1 certificates support for MiTM because some software(Anti-virus) has used MiTM while also used SHA1 certificates for it. :P
https://bugzilla.mozilla.org/show_bug.cgi?id=1236975

Jeremy Collake

Yes, thanks to BenYeeHua's warning last month, Bitsum was well prepared for this transition. Thanks man!

Unfortunately for everyone else, I am seeing A LOT of Windows software vendors who are not ready. This especially affects vendors who don't do frequent maintenance, or even abandoned projects.

p.s. There is also a separate issue with the deprecation of SHA1 on SSL certifications (e.g. HTTPS). Again, Bitsum has already taken care of thus, using SHA2 on all our servers.
Software Engineer. Bitsum LLC.

BenYeeHua

QuoteUnfortunately for everyone else, I am seeing A LOT of Windows software vendors who are not ready. This especially affects vendors who don't do frequent maintenance, or even abandoned projects.
Well, I guess Windows 10 is much more important for Microsoft, as I don't saw any news about this deprecation of SHA1. :P

Even famous Anti-virus in China are having SHA1 signed installer, so it is very hard to see a lot of vendors care(or know) about this...

Jeremy Collake

Symantec was nice enough to send us a notice about this change on Dec 31, 2015 - 24 hours before it took effect, lol.
Software Engineer. Bitsum LLC.

Jeremy Collake

Our dual-signed SHA 1 and SHA2 executables are triggering a SmartScreen filter warning in Windows 10. There are several possibilities as to why, including that we just need to build up history for our SHA2 signature.

EDIT: And IE11 is just throwing an 'corrupt or invalid signature' error and refusing to allow it to be Run, even by opting-out.

EDIT2: It DOES also appear that all other SHA1 post-Jan1 files are affected. So Microsoft is enforcing their mandate.

There is considerable confusion right now, even by the Google Chrome team, about what is what. It seems in traditional Microsoft fashion, they are afraid to be too aggressive at deprecating anything.

http://security.stackexchange.com/questions/109629/deprecation-of-sha1-code-signing-certificates-on-windows
Software Engineer. Bitsum LLC.

BenYeeHua

Yup, just checking the latest installer, the smart screen is telling the publisher, but it look like some software that only has their own sign. :P

Just for research, can you provide a installer or any exe that only signed with SHA2? Just to check did there is something difference between dual-sign and SHA2 sign only. :)

PS:Latest Chrome Canary has dual-signed, just the installer(or downloader, small installer, any name you want to call ;D) is still old version that post 1 Jan 2016, so they just update their Chrome.exe . :)

Jeremy Collake

I will upload an SHA-2 only file here later for additional testing (I did a bit and saw no improvement over dual-signing, which is what I'd expect).

Our SHA2 digital signature will improve in reputation quickly, and I've taken additional steps to deal with the issue. I expect it to resolve within a few more days.
Software Engineer. Bitsum LLC.

BenYeeHua

So do I, and I guess you also has tested some anti-virus too? :D

It might much more easier for testing with just SHA2 signed, so to check did they can check the exe with just the SHA2 signature or not. :)
(for security or false-report. ;))

Jeremy Collake

Yes, we have closely monitored security software as well. We are grateful to say that, knock on wood, we haven't had any issues in that regard. We may have a few, but it seems OK so far. Most of them know our site and do a crawl of it to get our latest downloads and signatures.

Here is the SHA2-only binary (rcimport.exe from our internal RC tools): (mangled) https://bitsum.com / files / rcimport_sha2_only.zip
Password: sha2-only

I believe now that we have dual-signing with SHA2 signing 'done right' with a proper reissued SHA2 code, we'll be good.
Software Engineer. Bitsum LLC.

Jeremy Collake

Software Engineer. Bitsum LLC.

BenYeeHua

Yup, just what's I think, most dev will be forcing the other dev(that might not care about security) to improve the security, and Windows XP is getting cracked down for Win XP user, they will be leaving with a security issues, and so did the Gov. :)

(Fun fact, Malaysia gov webpage that contain personal information is just HTTP+IP address link...) :P

-----
Just tested Process Lasso installer, and also the SHA2 only installer, no SmartScreen pop out now, so it is "safe" (for Bitsum) now. ;)
And interesting, I just running a SHA1 signed installer on Windows 7, but no SmartScreen pop out, maybe it is disabled by some software...
I may need to check for it tomorrow.. :P

(BTW, the password is wrong and I just guessed it right, but I will let the other user to guess the right password, it's just need some "backspace" to found it.) ::)

----A little Off-topic
For security reason, I tested how's the extract tools will do to the "downloaded from Internet" files that label by browser, did they will label extracted files or not.

Windows File Explorer - Pass
WinRaR - Pass
2345好压 - Failed

So as you can see, any software that focus on adware function will not take care some little security on the files, even they did provided scanning engine that will scan the files before extract/run it. ::)
This is caused by users asking for FEATURE!!! that can be seen, not small (security) detail that can't be feel, it also shown how's meticulous the devs are. ;)

It will also be interesting for Antivirus, did they will look on this label or not, and doing some "heavy" scanning on the downloaded files. :D
----

Anyways, case closed, and Windows XP should be saying goodbye for next year. :)

Just kidding, big company will still be supporting SHA1 for XP users, and increase danger for most modern Windows user. ;D
This Chicken & Egg, or that Chicken & Egg? (compare with forcing user to use up-to-dated Windows with modern security supported, but reduced software compatibility)? :)
https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/
http://arstechnica.com/security/2015/12/sha1-sunset-will-block-millions-from-encrypted-net-facebook-warns/

Maybe blocking their SHA1 cert is a good idea, before browser start blocking them next years. ;D

Jeremy Collake

Yea, the big enterprises don't like change. Heck, a lot are still refusing to give up XP. Change costs money, even if it saves money down the road -- but that kind of short-term thinking is common.

I did notice the SmartScreen filter resolved itself a day after I made the original post, I had edited the post about that, though forgot to mention it here. So, we are in the clear.
Software Engineer. Bitsum LLC.

BenYeeHua

Yes, and the bad thing is gov don't forcing them to change, no one will change, and it is fun that Windows 10 still supporting very old hardware and providing latest security, no one want it. ::)
(of cause the Windows 10 stability issues is the Biggest of the reason ;D)

Just try running around and see how many people running old android with a lot of important information, they just don't care about it, because update break thing, so why I want to break something while it is running fine? :P
(Of cause after they updated it and found it is much smoother with ART used)

Even worst, my Edu care about security more than the gov.
And yes, the Edu website/services did causing some issues now, and no one want to fix it when your account is having issues, until they point out which should be the person that handle it. ::)
----
QuoteI did notice the SmartScreen filter resolved itself a day after I made the original post, I had edited the post about that, though forgot to mention it here. So, we are in the clear.

So I guess MS don't update their server with latest information(as SmartScreen access MS servers to confirm the SHA2 sign), I guess MS is also in a rush on this. ;D

Jeremy Collake

The voodoo behind SmartScreen is intentionally kept obscure, so who knows for sure, but I suspect the primary cause was an automated bot that scans downloads at known whitelisted domains. We've been around so long,with such a spotless history, that we are on most of those lists. Either that, or the download count quickly escalated once we fixed the SHA2 signature chain.
Software Engineer. Bitsum LLC.

BenYeeHua

Well, we never know how's it works, but it is working, mostly on Edge/IE for phishing website.(excluding China) ;D

Jeremy Collake

I noticed that Corsair (http://www.corsair.com/) released a software update Jan 26, and are getting the warnings we had. It seems many will have the pain of finding out their signing, or dual-signing, isn't up to snuff in 2016.
Software Engineer. Bitsum LLC.

BenYeeHua

Well, still the same for 360安å...¨å«å£«. :P

I also checked Avira and Adobe, they are having the same issues.
I wonder why they don't choose to bypass this for temp like Mozilla, just having their small installer(Online Installer) SHA2 signed should be enough to bypass this warning, as they don't label the downloaded installer as downloaded file, then the warning is gone. ;)

Jeremy Collake

Yes, a download stub, which is now very common (e.g. Chrome uses one), has been one suggested way of dealing with it for companies that can't handle dual-signing for whatever reason. In Firefox's case, I read their limitation was the code signing mechanism they use. The larger you get, the harder it is to change. That's one of the advantages of being a smaller company.
Software Engineer. Bitsum LLC.

BenYeeHua

Yup, except Google, if you don't has it, then just create it, if it failed then just drop it. :P