Preciso entender os impactos no meu ambiente após a correção do CVE-2013-3900 (EnableCertPaddingCheck)

Hello Yuri, I’m Henry, and I’m happy to share my insights on this issue. I also tried translating to better understand the problem.

Your concern is valid but we need to correct a common misunderstanding:

This fix does NOT affect unsigned executables.

It only affects files that are digitally signed using Authenticode.

What the Vulnerability and Fix Actually Do

• The Vulnerability (CVE-2013-3900): Before the fix, Windows' WinVerifyTrust function would validate a file's digital signature but would ignore any extra data appended to the end of the file. This allowed an attacker to attach a malicious payload to a legitimately signed file (like setup.exe) without invalidating the signature.
• The Fix (EnableCertPaddingCheck): When you apply this registry fix, you make the signature validation process stricter. The system will now check for any extraneous data after the signature block. If any extra data is found, the signature is considered invalid, and the file will be treated as if it has no valid signature.

You are correct that some third-party software may stop working. This will happen if the software vendor used a non-standard packaging method. I recommend some steps, but please ensure that security is prioritized. Additionally, you must validate them against your specific environment.

1. Create a Test Group: Identify a small group of test machines or a lab environment that has your company's critical third-party software installed.
2. Apply the Fix: On this test group only, apply the EnableCertPaddingCheck registry key.
3. Test Thoroughly: Launch and use your third-party applications. Pay special attention to installers (.exe, .msi), updaters, and any custom-developed tools.
4. Identify Failures: If an application fails to launch or throws a security/signature error, you have found a non-compliant application.

Hope this helps you.