Impact
Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate).
By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight.
Patches
The 2.x release series includes EKU checks.
Workarounds
There are no workarounds to this vulnerability. Users should upgrade to the 2.x series of uthenticode.
References
Forthcoming.
D4stiny Finder
Impact
Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate).
By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight.
Patches
The 2.x release series includes EKU checks.
Workarounds
There are no workarounds to this vulnerability. Users should upgrade to the 2.x series of uthenticode.
References
Forthcoming.