“It’s quite an important bit of software in the Windows operating system”
New Microsoft Surface Pro tablets have shipped with a revoked Taiwanese software cert that has certificate-signing privileges “embedded” in their Windows operating system, according to a British cybersecurity startup, Cybersec Innovation Partners (CIP) – an issue that the company says could lead to “fraud, identity theft, malicious surveillance and remote access.”
London-based, Tunbridge Wells-registered CIP was established in July 2018. It names former Global Head of Cyber Security at HSBC, Paul Foster, as CIO.
CIP provides a PKI/software certificate deep discovery and life cycle management platform, “Whitethorn” [pdf] acquired from a German software vendor that developed it for a NATO project. The alleged issue was found with Whitethorn, which lets customers “scan, detect and automate the discovery, issuance, integrity, exchange and remediation of keys and certificates.”
The company has not published a proof-of-concept of an exploit, nor a CVE but said it disclosed the issue to Microsoft on May 13.
Microsoft Surface Pro Certificate Find “A Real Eye-Opener”
CIP’s Paul Foster discovered the revoked certificate from Chunghwa Telecom while running Whitethorn on a brand new Surface Pro, the company claimed today.
In a call with Computer Business Review, Foster said that he would be “running it on every operating system out there and bit of software; we’re already working with another well-known software vendor for whom we discovered a similar issue; [unlike Microsoft] they have been very responsive and are patching it now.”
He added: “One reason a certificate might be revoked is because its key is compromised. Malicious actors could start signing as a root Certificate Authority and putting out fake software updates with a weaponised payload. There are some very clever nation state actors increasingly using certificates in their campaigns; it’s an issue creeping up in scale.”
Pressed on the details of the certificate in question, he said: “I’m not giving out the file name until this is patched.” (CIP disclosed it to Microsoft on May 13, received a response on May 15 but have since faced limited correspondence, he said, adding, “maybe they think it is low risk. I disagree; it’s an issue.”)
He added: “It’s quite an important bit of software in the Windows operating system. That if compromised could affect every Windows 32 bit system out there, and there’s probably a quarter of a billion of those. Once Microsoft fix we’ll publish full details.”
Microsoft has been contacted for comment.
Microsoft Surface Pro Certificate Issue: How Much of a Risk?
Every software certificate carries specific information about the identity of the organisation using it. This information varies by use case but can include the company name and location, the domain name of web certificates, or other data.
Certificates must be issued by a “Certificate Authority” (CA) that is trusted by systems on that network. For use across the public internet (such as web sites, server-to-server connections, or email), certificates must come from a public CA with roots universally trusted by the systems on the internet.
Digital certificates are ubiquitous in contemporary IT systems. Their proliferation and mismanagement has recently caused a number of issues, including a widespread telecommunications network outage.
In a recent supply chain attack hackers compromised a server for ASUS’s live software update tool then used the breach to push a backdoor into potentially over a million computers in what Kaspersky Lab’ founder described as “one of the biggest supply-chain incidents ever”. The as-yet unknown threat actor modified the ASUS Live Update Utility, signed with a legitimate certificate, added a back door to the utility, and then distributed it to unwitting users through ASUS’s official channel.
SecureData’s Etienne Greeff told Computer Business Review: “Unless I misunderstood this would only be an issue if you use software that relies on the expired certificate to verify that there has been no changes to the software. So you would need the unhappy coincidence of running software from the expired certificate provider and have somebody changing the code in a location where I get/update the code from. This is not unlikely but is a convoluted attack vector.”
“What can be said however is that certificates form the keystone of trust in Cyber so it is important to get it right.”