At the turn of midnight at the end of October, parts of Windows 11 suddenly stopped working. The reason why the Snipping Tool, touch keyboard and emoji panel refused to run was an expired certificate. Microsoft rushed out an emergency fix to restore some of the broken parts of Windows 11 on the 5th November.
How can an expired certificate stop installed apps from working overnight, and what do security and development managers need to do to stop it happening to them?
How Application signing works
A digital signature can be used to verify the identity of the developer of an app before it is installed – and to confirm that the contents of the app have not been modified since the developer released the application files. In this way the user is protected against supply chain attacks that inject malicious code into the application or from impersonation attacks where a malicious user creates a clone of a well-known app with malicious behaviour.
All the major platforms support digital signatures for applications (and drivers). Microsoft’s platform is called Authenticode, Apple’s is called app signing and on Linux there is Sigstore. All these systems work in essentially the same way, by using public key cryptography and public-private keys to sign and authenticate the application binaries. To use Microsoft Authenticode as a worked example:
The developer first obtains a certificate from a trusted certificate authority recognised by Microsoft. This certificate is used to confirm the identity of the developer. Note that unlike the Apple developer program, Microsoft is not involved in this process – although they are for apps distributed via the Windows App Store.
When an application is compiled in Visual Studio, a utility called signtool is used to generate a digital signature using the developer’s private key. When using signtool, there is an option to include a timestamp in the digital signature. If a timestamp is not included, the application cannot be validated by the operating system when it is executed after the signing certificate has expired. If a timestamp is included, the app will happily execute after the signing certificate has expired provided it was originally signed before that time. Microsoft highlights this need in their documentation:
The URL to the time stamp service is provided by the CA (certificate authority), and is optional for testing. It is important for production signing to include a valid time stamp authority, or the signature will fail to validate when the certificate expires.
Digital signatures can also be applied to Windows Installer (MSI) packages in order to prevent them from being tampered with during distribution.
For apps that are distributed through the Microsoft Store, the digital signing takes place during the publishing process and is done automatically by Microsoft using the certificates associated with the developer’s Microsoft account.
The digital signature for each application – whether released directly or via the Microsoft Store, is created using the private key associated with the developer’s certificate – so if that certificate is revoked then all apps signed with that key will fail to validate their signatures. This provides a measure of protection against the abuse of lost or stolen developer certificates – or as seen in the Apple v Epic lawsuit, the threat of an app store vendor being able to instantly remove the ability of a developer from being able to create and sign new application versions.
The benefits of code signing
For applications that are distributed to the public, the benefits of using digital signatures to confirm the identity and authenticity of applications are clear – and mandatory in order to use most app stores as a distribution platform.
However, signing in-house built applications that are only ever used on the internal network is also something that security managers would do well to consider – for all the same reasons. Using and validating digital signatures as part of the DevOps build and deployment cycle will help defend against unauthorised modification of application code and can help identify if out-of-date versions of applications are being used.
Managing certificate expiry
Ever since the widespread deployment of web server certificates to encrypt SSL and TLS traffic, IT admin teams have had to put in place some type of process to ensure that certificates are renewed and replaced before they expire. Whether it’s as simple as an Excel file that someone is (supposed to) check every month or a more sophisticated management system. What is clear, is that the increased reliance on digitally signed application code and drivers requires an integrated approach between the Development and Security teams to ensure that the chain of trust that flows from app signatures to the enterprise’s public key infrastructure is protected and intermediate certificates are not allowed to expire.