Windows 10: Malware exploits decade old Windows bug, which has an opt-in fix

A decade old Windows bug, for which a fix is available, is used by malware currently in attacks against Windows devices. Malware actors may exploit the vulnerability to add malicious code to signed Windows files without them losing their signed status.

Digital signatures are used on Windows to determine the authenticity of files. Most security solutions check for signatures when they check files on Windows machines.

What makes this exploit even more problematic is the fact that a fix is available, but that it is opt-in. If that was not enough, it appears that upgrades to Windows 11 may drop the fix, if applied in the Windows Registry.

Bleeping Computer reported this week that the VOIP communications company 3CX was compromised. The attackers managed to include malware into the company's desktop application for Windows. Two DLL files used by the desktop application were modified by the threat actors to include malware, more precisely, an information-stealing trojan.

What makes the attack special is that the attackers are exploiting CVE-2013-3900, WinVerifyTrust Signature Validation Vulnerability, which Microsoft confirmed in 2013 for the first time and has updated in early 2022 with additional information.

How to protect Windows devices against the attacks




Microsoft published an opt-in fix to address the issue in 2013, and it has been valid ever since.

Windows 64-bit versions may be protected with the following Registry code:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"

Note: you need to paste the code into a plain text file and rename its file extension, so that it is .reg. We have uploaded a Zip archive with Registry files for 32-bit and 64-bit versions of Windows: windows-registry-fix

All you need to do is double-click on the file to add the information to the Registry (a verification prompt is displayed, which you need to allow).

A restart of the system is required. Delete the listed Registry values to undo the change at any time.

Enabling the changes will make non-confirming binaries "appear unsigned" and be rendered untrusted as a consequence.

Why opt-in?

Why did Microsoft release the patch this way, and did not integrate it directly into Windows? The extensive FAQ on the support page provides an answer. According to Microsoft, enabling the stricter verification behavior may "impact some installers" and also certain AppLocker behavior and Software Restriction Policies.

Closing Words

Windows administrators may check the listed Registry values above to verify if the devices are protected against the vulnerability. Windows devices that were upgraded to Windows 11 need to be rechecked, as the Registry values are likely no longer there after the upgrade. Note that applying the changes using policies should keep them enabled after the upgrade.

Thank you for being a Ghacks reader. The post Malware exploits decade old Windows bug, which has an opt-in fix appeared first on gHacks Technology News.

read more...

 

Autoruns displays decades old timestamps

Hello,

I recently reset my Windows 10 installation and it seemed I was attacked by some exploits like trying to rewrite the logon screensaver and writing strange string files to C:\Windows. When checking Autoruns I noticed there were several entries in Task Scheduler
with timestamps either decades old or decades ahead, some of these are related to Windows Defender. Are these tampered with? or are they normal? They are all verified and 0 on VirusTotal check.

 

Decade-old bugs discovered in Avast, AVG antivirus softwares

See this -

Decade-old bugs discovered in Avast, AVG antivirus software | ZDNet

A public service message.

*Nerd

 

Malware error "Malware Anti-Exploit Protection is not started. The Anti-Exploit process will be terminated" on Windows 10

Old title: Malware error

I keep getting the message "Malware Anti-Exploit Protection is not started. The Anti-Exploit process will be terminated." I uninstalled Norton Virus Protection from my computer because it was causing errors. I am using Slim Cleaner as my Anti virus program.
How do I resolve this error and does Norton Antivirus conflict with Slim Cleaner? Appreciate any assistance given.

Thanks,