Where is your arrogance now, nGreedia?

Those certs are expired so wont be trusted, what am i missing here?

chrcolukThose certs are expired so wont be trusted, what am i missing here?

Unfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

stimpy88Where is your arrogance now, nGreedia?

How is your comment even remotely relevant to the article ......... :banghead:

chrcolukThose certs are expired so wont be trusted, what am i missing here?

They will for drivers. Thank the weird code-signing world MS-created.

ncrsUnfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

This is the more detailed version of the answer.

RH92

How is your comment even remotely relevant to the article ......... :banghead:

Really? How did you even figure out how to post in the first place... "remotely relevant" OMG

stimpy88Really? How did you even figure out how to post in the first place... "remotely relevant" OMG

I mean, a lot of companies get hacked these days. I don't think paying up is the answer.

ncrsUnfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

Hmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.

ncrsUnfortunately it's not as clear cut under Windows. An application signed by a trusted Certificate Authority, even if the CA is expired, is still trusted.
While drivers are usually WHQL-signed by Microsoft (using the Microsoft Windows Hardware Compatibility Publisher CA) there are exceptions that still get installed even if the CA certificate is expired.
There are mechanisms to revoke a CA certificate, but it's going to be a messy affair - every piece of software signed by that CA will become untrusted.

That doesn't stop Microsoft from pushing an update and blacklisting those certificates explicitly.
Hopefully users savvy enough to block updates are also savvy enough to spot an expired certificate.

Back to stone age to be safe.

How dangerous is it actually? I mean, it's called Quasar.exe that you'd have to obtain from somewhere, and there's also UAC before it's executed.

chrcolukHmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.

It is a hard problem for Windows. If you let signatures by expired CAs be untrusted, then a lot of old software will stop working/throw scary errors on startup. Windows' strength is backwards compatibility so they can't really do that.

bugThat doesn't stop Microsoft from pushing an update and blacklisting those certificates explicitly.
Hopefully users savvy enough to block updates are also savvy enough to spot an expired certificate.

Of course, that's why I wrote that there are mechanisms to revoke certificates :)
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.

AusWolfHow dangerous is it actually? I mean, it's called Quasar.exe that you'd have to obtain from somewhere, and there's also UAC before it's executed.

It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.

ncrsIt can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.

That's OK, but why would you give permission for any "legitimate software from nvidia" to be installed unless you yourself initiated a driver update?

AusWolfThat's OK, but why would you give permission for any "legitimate software from nvidia" to be installed unless you yourself initiated a driver update?

You overestimate the average user's security practices ;)
Most don't read those dialogues carefully unless they are errors, and some just click through it as fast as possible.

Common threats will be detected beforehand by either Windows Defender or other AV products, but a leaked trusted CA like that gives a lot of opportunities for bad actors. Tailored exploits won't be detected and will seem like legitimate software from NVidia. It's a bad situation for everybody, especially NVidia.

ncrsYou overestimate the average user's security practices ;)
Most don't read those dialogues carefully unless they are errors, and some just click through it as fast as possible.

Common threats will be detected beforehand by either Windows Defender or other AV products, but a leaked trusted CA like that gives a lot of opportunities for bad actors. Tailored exploits won't be detected and will seem like legitimate software from NVidia. It's a bad situation for everybody, especially NVidia.

My point stands. It doesn't matter where the software is from - if it wasn't you that initiated the installation process, you click "No" in UAC. Simple as that. If that protects you from this malware, happy days. :)

If someone clicks "Yes" every single time UAC pops up without reading it, it's their own fault. UAC was created exactly for situations like this. All I can do is spread the word (which I do anyway).

It's a different kind of situation when you downloaded something, and UAC says it's from nvidia. But that's suspicious enough as well, I guess.

That's just nasty; instead of gpu specs we get malware with their certificates, ahh the Le Chatelier principle (of least resistance/effort) and adherence to it... :rolleyes: :)

ncrsOf course, that's why I wrote that there are mechanisms to revoke certificates :)
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.

I fail to see the problem. Certificates have an expiration date because you're not supposed to use them after that date. If you install something signed by Nvidia today, it must be signed using current certificates.

chrcolukHmm, not on applocker/srp, been a pain to update as more certs shortlived now, whatever part of windows allows expired certs needs fixing though.

The problem is it's grandfathered in from long ago... "fix" it and suddenly any driver pre 2016 or so ceases to function.

bugI fail to see the problem. Certificates have an expiration date because you're not supposed to use them after that date. If you install something signed by Nvidia today, it must be signed using current certificates.

That's not true. Take for example the GeForce 342.01 driver from 2016 which is signed with a Code Signing certificate valid from 2015 to 2018. Windows validates this signature and UAC shows the .exe to be trusted, from NVidia.
Edit: Scratch that, I misunderstood you. You're correct, the timestamping countersignature prevents using those leaked CAs for signing new software, under normal circumstances.

I'm not at all surprised this happened.

all useless, where're ma custom bios

ncrsIt is a hard problem for Windows. If you let signatures by expired CAs be untrusted, then a lot of old software will stop working/throw scary errors on startup. Windows' strength is backwards compatibility so they can't really do that.


Of course, that's why I wrote that there are mechanisms to revoke certificates :)
The problem is that there's a lot of legitimate software made by NVidia which is signed with those leaked CAs. If Microsoft/NV/VeriSign revoke the certs then those executable will cause scary UAC errors. That's why a compromised CA is always a huge hurdle to fix.


It can be called whatever really, let's say NvBroadcast.Container.exe or any other legitimate-sounding name.
Unfortunately that UAC will tell you it's valid software from NVidia, at least until the CA is revoked and the changes propagated to Windows trust store.

On old software I had to use other ways of whitelisting on SRP such as hash or path.

So it seems windows itself is inconsistent as App locker and SRP do not trust expired certs. But as you said other parts of the OS do.

But those two features are aimed at enterprise use so logical they are strict.

I guess its going to be revocation and hoping people keep their cert stores updated.

chrcolukBut those two features are aimed at enterprise use so logical they are strict.

Yeah, I was writing about normal user's experience.

chrcolukI guess its going to be revocation and hoping people keep their cert stores updated.

There's no need to do anything, Windows keeps them updated and Explorer makes internet revocation checks when details of a signature are displayed (via Properties, Digital Signatures, Details).

Oh dear, kin rat's nest this:p ,I will hopefully not be affected but a lot of us do use some random ass software that likes to install a lot of random ass exes , looking at you Asus ,icue, nicehash.

I mean I've always felt relying on code-signing certificates rather than common sense isn't teaching the user good computing habits anyways. Code-signing is an excuse not to learn properly, in short. When it works, sure, it works. And when it fails, it fails hard, like here.

Why not just teach people?

Oh right... because, we're dealing with a population of computer illiterate potatoes. I keep forgetting.

I'm sorry I say it that harshly, but you know it's true.