10-Year-Old Windows Vulnerability Exploited in 3CX Attack

March 31, 2023

A 10-year-old Windows vulnerability, CVE-2013-3900, continues to be exploited in attacks, making it appear that executables are legitimately signed. The fix from Microsoft remains 'opt-in' after all these years and is removed after upgrading to Windows 11. Recently, VoIP communications company 3CX was compromised in a large-scale supply chain attack, involving trojanized versions of its Windows desktop application. Two DLLs used by the application were replaced with malicious versions that downloaded additional malware, such as an information-stealing trojan. One of these malicious DLLs, d3dcompiler_47.dll, was usually a legitimate DLL signed by Microsoft but was modified by the threat actors to include an encrypted malicious payload. Despite the file being modified, Windows still showed it as correctly signed by Microsoft.

The DLL is exploiting the CVE-2013-3900 flaw, a 'WinVerifyTrust Signature Validation Vulnerability.' Microsoft first disclosed this vulnerability on December 10th, 2013, and explained that adding content to an EXE's authenticode signature section (WIN_CERTIFICATE structure) in a signed executable is possible without invalidating the signature. Will Dormann, a senior vulnerability analyst at ANALYGENCE, explained in tweets that the Google Chrome installer adds data to the Authenticode structure to determine if users opted into 'sending usage statistics and crash reports to Google.' Microsoft decided to make the fix optional, likely because it would invalidate legitimate, signed executables that stored data in the signature block of an executable.

Microsoft's disclosure for the CVE-2013-3900 states, 'On December 10, 2013, Microsoft released an update for all supported releases of Microsoft Windows that changes how signatures are verified for binaries signed with the Windows Authenticode signature format. This change can be enabled on an opt-in basis.' Almost a decade later, the vulnerability is still being exploited by numerous threat actors, but the fix remains opt-in and can only be enabled by manually editing the Windows Registry. Even if users apply the fix, it will be removed once they upgrade to Windows 11, making their devices vulnerable again.

Recent attacks, such as the 3CX supply chain and a Zloader malware distribution campaign in January, show that this vulnerability should be fixed, even if it inconveniences developers. Unfortunately, most people are unaware of this flaw and may assume malicious files are trustworthy because Windows reports them as being so. Dormann warned, 'But when a fix is optional, the masses aren't going to be protected.' Although the optional fix may cause issues with some installers, the added protection is worth the inconvenience.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.