Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Infrastructure  >  Managing Certificate Expiry
NextPrevious

Managing Certificate Expiry

Articles, Infrastructure | 10 November, 2021 | 0

At the turn of midnight at the end of October, parts of Windows 11 suddenly stopped working. The reason why the Snipping Tool, touch keyboard and emoji panel refused to run was an expired certificate.  Microsoft rushed out an emergency fix to restore some of the broken parts of Windows 11 on the 5th November.

How can an expired certificate stop installed apps from working overnight, and what do security and development managers need to do to stop it happening to them?

How Application signing works

A digital signature can be used to verify the identity of the developer of an app before it is installed – and to confirm that the contents of the app have not been modified since the developer released the application files.  In this way the user is protected against supply chain attacks that inject malicious code into the application or from impersonation attacks where a malicious user creates a clone of a well-known app with malicious behaviour.

All the major platforms support digital signatures for applications (and drivers).  Microsoft’s platform is called Authenticode, Apple’s is called app signing  and on Linux there is Sigstore.  All these systems work in essentially the same way, by using public key cryptography and public-private keys to sign and authenticate the application binaries. To use Microsoft Authenticode as a worked example:

The developer first obtains a certificate from a trusted certificate authority recognised by Microsoft. This certificate is used to confirm the identity of the developer. Note that unlike the Apple developer program, Microsoft is not involved in this process – although they are for apps distributed via the Windows App Store.

When an application is compiled in Visual Studio, a utility called signtool is used to generate a digital signature using the developer’s private key. When using signtool, there is an option to include a timestamp in the digital signature. If a timestamp is not included, the application cannot be validated by the operating system when it is executed after the signing certificate has expired. If a timestamp is included, the app will happily execute after the signing certificate has expired provided it was originally signed before that time. Microsoft highlights this need in their documentation:

The URL to the time stamp service is provided by the CA (certificate authority), and is optional for testing. It is important for production signing to include a valid time stamp authority, or the signature will fail to validate when the certificate expires.

Digital signatures can also be applied to Windows Installer (MSI) packages in order to prevent them from being tampered with during distribution.

For apps that are distributed through the Microsoft Store, the digital signing takes place during the publishing process and is done automatically by Microsoft using the certificates associated with the developer’s Microsoft account.

The digital signature for each application – whether released directly or via the Microsoft Store, is created using the private key associated with the developer’s certificate – so if that certificate is revoked then all apps signed with that key will fail to validate their signatures.  This provides a measure of protection against the abuse of lost or stolen developer certificates – or as seen in the Apple v Epic lawsuit, the threat of an app store vendor being able to instantly remove the ability of a developer from being able to create and sign new application versions.

 

The benefits of code signing

For applications that are distributed to the public, the benefits of using digital signatures to confirm the identity and authenticity of applications are clear – and mandatory in order to use most app stores as a distribution platform.

However, signing in-house built applications that are only ever used on the internal network is also something that security managers would do well to consider – for all the same reasons.  Using and validating digital signatures as part of the DevOps build and deployment cycle will help defend against unauthorised modification of application code and can help identify if out-of-date versions of applications are being used.

 

Managing certificate expiry

Ever since the widespread deployment of web server certificates to encrypt SSL and TLS traffic, IT admin teams have had to put in place some type of process to ensure that certificates are renewed and replaced before they expire. Whether it’s as simple as an Excel file that someone is (supposed to) check every month or a more sophisticated management system.  What is clear, is that the increased reliance on digitally signed application code and drivers requires an integrated approach between the Development and Security teams to ensure that the chain of trust that flows from app signatures to the enterprise’s public key infrastructure is protected and intermediate certificates are not allowed to expire.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
Security operations

Related Post

  • What is PIPEDREAM malware?

    By Mark Faithfull

    Since Stuxnet was used to damage Iran’s nuclear aspiration in 2010, there has been a dawning realisation that malware is not just a threat in cyberspace – it can cause real world damage to industrialRead more

  • Why Asset Management is important for Cybersecurity

    By Mark Faithfull

    As a security manager you can only protect systems that you know about. Asset Management is the art and science of keeping track of all the devices connected to your network so that you canRead more

  • What is Zero Trust Security?

    By Mark Faithfull

    Understanding the principles of Zero Trust Security will help Security and Network Managers evolve their network design to better defend against new and emerging cyber security threats and increased remote working. To understand and appreciateRead more

  • What is Cyber Supply Chain Risk Management?

    By Mark Faithfull

    Recent high-profile security incidents, such as the compromises at SolarWinds and CodeCov and the vulnerabilities in Microsoft Exchange Server, have drawn attention to the risks posed by the software we invite into the heart ofRead more

  • NAT Slipstream attack defeats NAT firewalls

    By Mark Faithfull

    NAT Slipstream allows an attacker outside the firewall to remotely access any TCP or UDP services running on a local machine, behind a NAT firewall, simply by tricking the victim into visiting a malicious website.Read more

NextPrevious

Recent Posts

  • ZuoRAT Malware Targets Home-Office Routers
  • Microsoft Patches Linux Cluster Bug
  • Log4Shell (still) actively exploited on VMware Systems
  • Vulnerability reported on QNAP NAS Devices
  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

Recent Comments

    Archives

    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam