Windows - Security - Mitigate WinVerifyTrust Signature Validation (CVE-2013-3900)

Why use the Mitigate WinVerifyTrust Signature Validation (CVE-2013-3900) Worklet?

CVE-2013-3900 is a remote code execution vulnerability that affects the Authenticode signature verification for portable executable (PE) files. An attacker could exploit the vulnerability by modifying an existing signed executable file and adding malicious code to the file without invalidating the signature. 

How does the Mitigate WinVerifyTrust Signature Validation (CVE-2013-3900) Worklet work?

The Mitigate WinVerifyTrust Signature (CVE-2013-3900) Worklet follows Microsoft's recommended mitigation steps by ensuring that the EnableCertPaddingCheck registry value is set to 1.

What is WinVerifyTrust API?

WinVerifyTrust is an API (Application Programming Interface) in the Windows operating system that is used to verify the authenticity and integrity of files, especially executables and drivers, before they are executed or installed. 

It’s commonly used to check the digital signature of a file to ensure that it comes from a trusted and legitimate source. Digital signatures are used to confirm the authenticity of files and to detect any tampering or modifications that may have occurred.

What is WinVerifyTrust Validation (CVE-2013-3900)?

In December 2013, CVE-2013-3900 was published about a vulnerability in WinVerifyTrust Signature Validation. The vulnerability made it possible for an attacker to exploit the padding of a Windows Authenticode signature so they could gain control of a system.

Microsoft had initially proposed a default 'opt-in' solution for Windows users by implementing a pair of registry keys. However, this plan was officially scrapped in 2014 due to compatibility issues with software signed using Windows Authenticode.

Over time, malicious actors have capitalized on this open vulnerability, using it to distribute malware and ransomware. This led to its inclusion in CISA's Known Exploited Vulnerabilities Catalog. As of January 21, 2022, Microsoft updated its guidance, making it the users' responsibility to configure non-default settings on all Windows systems, including versions 10 and 11.