In 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating it.
This year I reported on some installer programs using this padding trick.
With MS13-098, Microsoft releases a patch to prevent this signature padding trick. This change in behavior will become active June 10th 2014.
But you can already activate it now by setting reg_sz key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck to “1″.
Here is the effect illustrated with my AnalyzePESig tool:
But beware of a potential issue with this regkey. Setting it to “0″ will not revert to the old behavior (tested in VM with Windows XP SP3).
I had to deleted the key (actually, I renamed it) and reboot to revert to the old behavior. I informed Microsoft.
