Windows XP: inconsistent verification messages for signed executables


Yorick Koster, April 2008

Abstract


Under certain conditions when a user tries to run a modified signed executable, Windows produces an incorrect signing message. It will state that the digital signature is correct while this is not the case. This may convince users into running (potentially) unsafe executables.

Tested versions


This issue was verified on a fully patched Windows XP SP2 system (April 2008) for both Internet Explorer 6 and Internet Explorer 7. This issue does not affect Windows Vista.

Fix


This issue has been addressed in Service Pack 3 for Windows XP.

Introduction


Microsoft Authenticode is a technology that can be used to sign various file formats, such as .exe, .ocx, .dll & .cab files. Signed files are used to prove the authenticity & integrity of these files. It tells users who (which vendor) has created (or actually signed) the file and it tells users if the file was modified afterwards or not. It does not guarantee that the file is safe to run or use.

With Authenticode, it is still the responsibility of the end user to verify whether the digital signature is correct. If the file was modified, it is still possible to execute the file. Windows will not produce any error message to tell the user that a file was modified. This with the exception of files obtained from the Internet. In this case users can still choose to execute the file.

Modified WgaTray.exe


To test the issue described in this documented, a modified version of the WgaTray.exe executable was used. WgaTray.exe is a signed executable, signed by Microsoft. The file was modified in such a way that it shows a message box when it is executed. Because of this modification, the digital signature will be incorrect. Figure 1 shows an example of a message that is shown when a user verifies the signature of a modified executable. A message of a correct signature can be found in figure 2.


Figure 1: Invalid signature on modified version of WgaTray.exe


Figure 2: Valid signature on original WgaTray.exe

Running from the web


Sometimes when browsing the web, the browser is instructed to download an executable file. In case of Internet Explorer, the user is given the option to run, save or cancel the download. If a user chooses to run the executable and the executable is signed, the signature is checked before running the file. If the signature is correct, Internet Explorer will display a message similar to the one shown in figure 3. This messages gives end users the opportunity to verify the signature. If the signature belongs to a trusted party, the user can choose to run the executable.


Figure 3: Running WgaTray.exe from a website

In case the signature appears to be incorrect, Internet Explorer will refuse to run the executable. Instead it will show a message similar as the one shown in figure 4.


Figure 4: Internet Explorer prevents running of modified WgaTr ay.exe

Saving & running signed executables


If a user chooses to save an executable rather than running it directly, extra data is added to this file. Specifically, the security zone from which the file is downloaded is stored within an alternate data stream named Zone.Identifier. If the user executes a file, Windows will search for this alternate data stream and, if it exists, Windows will issue a similar warning as shown in figures 3 & 4.

It the file is signed and has been tampered with, Windows will warn the user that it may be unsafe to proceed. "Unknown Publisher" is used as the name of the publisher in the dialog box that is presented to the end user. If the user clicks on the publisher name, it will see the digital signature information. In this case, Windows will incorrectly show that the digital signature is correct. This might confuse the user and may result in the execution of a modified executable when the user trusts the digital signature information and discards the security warning.

The same behaviour is seen when a tampered signed executable is started from a Windows share. In this case Windows produces the same security warning, even if the alternate data stream does not exists.


Figure 5: Invalid signature verification messages after saving and running modified WgaTray.exe