Microsoft quietly pushes 5 additional root certificates

Again, Microsoft just added 5 new and undocumented root certs to the Windows CTL. And again, without communicating about it. I still fail to understand why their <A href=http://download.microsoft.com/download/1/5/7/157B29AB-F890-464A-995A-C87945B28E5A/Windows%20Root%20Certificate%20Program%20Members%20-%20Sept%202014.pdf>official list</a> is now out of date by more than a year, while Apple, Mozilla and Google all document the changes in a much more transparent and timely way.

Anyway, here are the new kids on the block. If you are running any supported version of Windows, you’re trusting them now (provided you already received the November 20 automatic update).

 010c0695a6981914ffbf5fc6b0b695ea29e912a6	GR 	
  Hellenic Academic and Research Institutions RootCA 2015
  
 9ff1718d92d59af37d7497b4bc6f84680bbab666	GR	
  Hellenic Academic and Research Institutions ECC RootCA 2015
  
 4caee38931d19ae73b31aa75ca33d621290fa75e	AT	
  A-Trust-nQual-03
  
 9b0959898154081bf6a90e9b9e58a4690c9ba104	CZ	
  I.CA Root CA/RSA
  
 f02b70bde4eae02b207377b9fd4785e4c9cc55dc	CN	
  China Financial Certification Authority Identity CA

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

View my <A HREF=https://www.linkedin.com/profile/view?id=1283234>LinkedIn</A> page (Firas Salem)

Conway's 1K Binary Polyglot

Now you can play (or rather, watch) Conway’s Game of Life in a browser and on the C64 - using the same 1K file!

As an HTML5 file, the game will run in any modern browser on Windows, Linux, OS X, Android or iOS. However, just rename the file extension to .PRG and it’s ready to (natively) run on a C64!

For more info on binary polyglots: google “corkami”.

<A download href=http://trax.x10.mx/lifoglot.htm>Download</A>

 Size: 1024 bytes
 Hash: c649f20d3cb59e474d1f578143242c64 (MD5)

<img src=http://i.imgur.com/ZNXau7g.png>

Credits

 c64 code: ruk 
 js  code: Daniel Bali 
 polyglot assembly: FS1 

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

MZuck32 - A PE/HTML Hybrid File

In the binary oddity department, here’s a funny little corkami-style beast: MZuck32 is a tiny (3634-byte) file that can be opened both as a valid Windows executable and a viewable web page (with an image embedded) just by switching its extension between EXE and HTM(L). :-)

<img src=http://i.imgur.com/CGz3AnT.png>

Features:

  • Valid Win x86 PE
  • Valid HTML+SVG page
  • A polyglot tribute to Facebook (what?) :)
  • For extra geekiness, MD5 hash is digits-only

<A href=http://trax.x10.mx/mzuck32.zip>Download</A>

 Size (bytes, unzipped): 3634
 MD5: 11154659197220219689725940689118
 
 (Tested on Windows 8.1 - should work on other versions too)

Coming up next: A Windows/C64 hybrid ;)

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

View my <A HREF=https://www.linkedin.com/profile/view?id=1283234>LinkedIn</A> page (Firas Salem)

A critical Windows component expires in 25 hours

Is this for real? While working on the new version of CTLInfo (screenshot below), I ran across an unexpected and rather scary finding: A key security component of Windows, the so-called ‘Disallowed’ CTL, has a validity of 15 months and is going to expire in 25 hours.

<img src=http://i.imgur.com/VTgVHJS.png>

This is very worrying, because the ‘Disallowed’ CTL is a small but critical component in today’s Web PKI infrastructure and is used by Windows systems to keep track of any high-profile certificates that have been compromised. It includes thumbprints for compromised certificates such as Dutch Certificate Authority Diginotar, Microsoft’s Live.fi, and many more.

I can’t accurately foresee what is going to happen in 25 hours (more accurately, starting from 2015-09-23 20:36:26 GMT), but the implications could be disastrous yet mostly invisible: all Windows systems, unable to verify the validity of their CTLs, could be at increased risk of MITM attacks worldwide. I’m especially concerned about newly installed systems which ship with an empty Disallowed CTL and will be unable to successfully autoupdate their CTLs until Microsoft pushes out new ones.

I contacted Microsoft as soon as I found out about this, but haven’t heard back so far. I do still have a (very) slim hope that Windows magically autoupdates before doomsday hits.

At this time, I don’t have information on how to mitigate this possible risk effectively.

I did not have enough time to analyze the issue in greater depth, so I really hope I’m wrong on this. It would be good if someone could confirm these observations.

Note: on a Windows 2012R2 server, it is also possible to view the issue using the following command:

 certutil -verifyCTL disallowed

#Update 1#

Good news! Microsoft has just released a new Disallowed CTL, and most importantly, signed with a new certificate. That was really close! Windows systems with direct connectivity to ctldl.windowsupdate.com should automatically get the update within 24 hours.

<img src=http://i.imgur.com/dZRNo9k.png>

SHA1 thumbprint of the new signing certificate:

 3e 42 ad 26 cc 2f 6e f1 52 99 15 0f ca be df 85 b9 af 75 d3

Expiration date: 2016-08-14

Note: The updated CTL has the exact same entries as the old one. The rogue Google certificates recently issued by Symantec are not included.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

View my <A HREF=https://www.linkedin.com/profile/view?id=1283234>LinkedIn</A> page (Firas Salem)

Why is Windows so misleading about what root certificates it trusts?

Did you know? The Windows Certificate Trust List (aka CTL) is the master source that determines all the root certs your system ultimately trusts by default. In contrast, good old certmgr.msc only shows a much smaller subset of that list, which it proudly claims to be your system’s “Trusted Root Certification Authorities”. The real deal, though, is stored behind the scenes, in an obscure format, and Windows provides no GUI to view any information about it.

Starting with Windows Vista, a new AutoUpdate mechanism was added, allowing these trusted root certificates to be seamlessly downloaded on first use.

Why does this matter? Because the incomplete information shown by Windows leads many people (including some security professionals) to believe that Windows trusts only a dozen or two root certificates out of the box, rather than hundreds.

Here’s a simple test:

  1. Open certmgr.msc, navigate to “Trusted Root Certification Authorities”,
    and notice the lack of a root called “OpenTrust Root CA G3”

  2. Open IE or Chrome and navigate to https://opentrustrootcag3-test.opentrust.com/

    Good, your browser could establish a trusted SSL connection!

  3. If you examine the SSL cert of that server, what do you notice? It’s signed by root authority “OpenTrust Root CA G3”, which WAS not in your store…

  4. Open certmgr.msc again: now “OpenTrust Root CA G3” IS there and was added without any prompts. Why? Because your system already trusted it via its CTL.

  5. Bottom line? Certmgr.msc is not showing the whole picture. In fact, there’s no GUI view anywhere in the OS that shows any detail on the CTL.

<A href=http://trax.x10.mx/apps.html>CTLInfo</A> is the result of a couple sleepless nights spent researching and reversing some of the CTL obscure format. (If someone knows where to find detailed specs on that format, I’d love to hear from you!) It is a very small tool showing some key information about your system’s CTL. I made this as I just could find no other straightforward way to get this sort of information, which can be useful to system or network administrators.

<img style=”max-width: auto;” src=http://i.imgur.com/Ur2mBOT.png>

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

View my <A HREF=https://www.linkedin.com/profile/view?id=1283234>LinkedIn</A> page (Firas Salem)