bleepingcomputer[.]com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/
msrc.microsoft[.]com/update-guide/vulnerability/CVE-2013-3900
The files that make up Windows [& most apps] are signed as a way of showing that they have not been tampered with. Windows, security software, software installers etc. look for that. However, it's possible to alter the authenticode signature section of a file and Windows by default will still regard it as signed. Microsoft also released a fix 10 years ago, sort of... you have to add 2 registry keys for 64-bit Windows, since there is no update you can run, and it was never included in any Windows security patches. That's because some companies, e.g. Google, alter that area of a file on purpose, and applying their fix *might* break something.
Microsoft provides the details to create 2 .reg files, one to turn stricter compliance checking on, & one to turn it off -- if you decide to turn it on, it's just as easy to turn it off when / if necessary.
To enable the functionality perform the following steps:For 32-bit versions of Microsoft Windows
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.
For 64-bit versions of Microsoft Windows
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"="1"
You can apply this .reg file to individual systems by double-clicking it.Note You must restart the system for your changes to take effect.
Impact of enabling the functionality change: Non-conforming binaries will appear unsigned and, therefore, be rendered untrusted.
How to disable the functionality. Perform the following to delete the registry value previously added.
For 32-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.
For 64-bit versions of Microsoft Windows, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, disableAuthenticodeVerification64.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=-You can apply this .reg file to individual systems by double-clicking it.
Note You must restart the system for your changes to take effect.