MD5 attack on Microsoft's Authenticode
A security expert has managed to transfer the digital signature of one Windows program to another, without invalidating the signature. Didier Stevens, who presented the attack in his blog, exploited the fact that Microsoft's Authenticode code signing standard accepts the vulnerable MD5 hash algorithm. Stevens used this to generate two programs which have identical code signatures, but behave differently.
Similar collision attacks on MD5 have already caused considerable commotion. The most prominent example is probably the work of a group of researchers who used this method to obtain a Certificate-Authority SSL certificate trusted by all common web browsers. The attack on Authenticode only requires minimal changes to the tools already available for calculating collisions. Authenticode signatures disregard file checksums and pointers to the signature of Windows program files because these change during the signing process.
Code signing procedures are supposed to ensure that in security-sensitive situations, operating systems only execute code that has been approved by a higher authority, without presenting users with an alert. As a result, an attack on a code signature could, for example, be exploited to inject a malicious program into a system, virtually unnoticed and get the user to start it. Driver installations also require valid code signatures, or they will cause warnings to be displayed.
However, the attack demonstrated by Stevens is as good as irrelevant for practical use. State-of-the-art research would require a trusted authority whose code signatures are considered trustworthy by Windows, to sign a specially crafted file with an MD5-based signature. As Microsoft's SignTool for Authenticode signatures uses the secure SHA1 hash by default, MD5 signatures are likely to be uncommon. Whether code is malicious or not, doesn't really matter, because most of the programs and many drivers don't have valid code signatures, the majority of users are accustomed to dismissing warnings caused by non-existent or untrusted code signatures, with a careless click.
- Playing With Authenticode and MD5 Collisions, blog entry by Didier Stevens
- The consequences of the successful MD5 attacks, article at heise Security UK