| By Susan Bradley |
Digitally signed software is a system designed to build trust in the applications you install on a PC.
Most of us don’t think twice about installing digitally-signed software, but we should — now that malware has made this system less trustworthy.
MS10-019 (978601, 979309)
Signed software may install more than advertised
In my first Patch Watch item, I’m showcasing a trust exploit, not a browser exploit. PC users regularly install digitally-signed software, trusting that it’s clean, safe, and what the vendor intended to provide. Microsoft security bulletin MS10-019 includes two updates to fix problems in Windows Authenticode and Windows Cabinet File Viewer. Without these two patches, it’s possible for you to unwittingly install infected software that bears a seemingly genuine digital signature.
While that sounds extremely scary, I’ll remind you that all too often we merrily install unsigned apps. We’ve all seen the warning shown in Figure 1. I myself recently added an unsigned Microsoft hotfix to my Windows 7 machine. The truth is, Microsoft tech support regularly sends fixes by e-mail and includes patch installers with no digital signatures. Almost without fail, I simply go ahead and install the hotfix.
Figure 1. An example of unsigned files from Microsoft.
The affected systems that are patched by MS10-019 are those running:
- Windows XP SP2 and SP3
- XP Pro x64 Edition SP2
- Vista, Vista SP1 and SP2, 32- and 64-bit versions
- Windows 7, 32- and 64-bit versions
- Windows Server 2008 and Server 2008 R2
MS10-026 (977816) and MS10-027 (979402)
Patch now to protect against drive-by downloads
I’m discussing security bulletins MS10-026 and MS10-027 together in this item. Although the two bulletins patch different flaws, they address similar attacks on Microsoft MPEG codecs and Media Player — the now-familiar remote-code execution problem.