Emsisoft to Users: Update Software, Reboot Systems After Certificate Error – Source: securityboulevard.com

Cybersecurity firm Emsisoft is telling users to update their anti-virus and other security software in the wake of an error with its code signing certificate that could cause the products to malfunction and make organizations more vulnerable to attacks.

Enterprises after updating the software also will need to reboot their systems before September 22 to ensure the installation of a new driver file, the company wrote in a notice this week. They need to update not only the antivirus malware but also the Emsisoft Business Security and Enterprise Security products.

The issue was caused by a mistake made by GlobalSign, the certificate authority that issued Emsisoft a Extended Validation (EV) code signing certificate last month.

“Protection software like ours is digitally signed with a certificate that warrants the files are authentic, published by us, and in a non-manipulated state,” Emsisoft wrote.

For antivirus vendors, Microsoft requires the EV code signing certificates – not regular ones – that a protected by a FIPS 140-2 Level-2 cryptographic device that ensures the certificates can’t be stolen or abused.

The certificates need to be renewed every 12 months, a process that includes extensive validation by the certificate authority, which in Emsisoft’s case is GlobalSign. The validation process includes such steps as proving the vendor’s address and business register.

 A Routine Process Gets Bumpy

For Emsisoft, the validation process went smoothly and the company renewed its EV code signing certificate. All the program files Emsisoft pulled together after that used the new certificate, including the 2023.9 release that was published September 4.

That same day, “GlobalSign reached out to us letting us know that they made a mistake with our certificate: namely, they entered our business number incorrectly,” Emsisoft wrote. “This means they must revoke the certificate on September 8th and re-issue a new one with the correct business number.”

The vendor received a corrected certificate the next day and immediately re-signed the files that had been signed by the certificate with the mistake. Organizations can get the new – and properly signed – files via an online update, with Emsisoft adding that most of its customers will automatically get the new version before the old certificate is revoked today.

However, there was another complicating problem. Emsisoft published a new driver component for a new rollback feature in version 2023.9. The driver’s file requires a system reboot to install a new version of the file, which is why organizations need not to only update the software but also reboot the device by today.

“When a certificate authority revokes a certificate, all software files that have been signed with it will produce a security warning, and drivers may not load at all,” Emsisoft wrote. “This essentially breaks the protection, including the ability to run online updates. If that happens, only a re-installation of the software will resolve the issue.”

Emsisoft said it asked several times that GlobalSign extend the deadline for revoking the certificate but that the certificate authority denied each request.

“It goes without saying that we are far from happy with the way GlobalSign has handled this issue,” the software vendor wrote.

Certificates and Software Supply-Chain Attacks

Digitally signing code is a crucial cybersecurity practice for verifying the authenticity and integrity of software, particularly at a time when threat groups are launching sophisticated software supply-chain attacks – like the SolarWinds hack in 2020 and the Kaseya breach the following year – and the cybersecurity industry is adopted tools like software bills-of-material (SBOMs) to push back against them.

“Attackers compromised the code signing process to inject malicious code into legitimate software, which is the them distributed through regular software channels,” Ambika Rastogi, a consultant with Encryption Consulting, wrote in a blog post earlier this year. “Detecting such attacks becomes challenging, and their impact can be widespread.”

Beyond Identity, a multi-factor authentication (MFA) vendor, outlined several threats to code signing systems, from private key theft and unauthorized code signing certificates to misplaced trust in certificates or keys, unauthorized or malicious code being signed – one of the tools used by the hackers behind the Lapsus$ attacks was a private key that could be used to sign Windows malware – and weak cryptography.

Emsisoft Took an Earlier Hit

Emsisoft is no stranger to such attacks. In February, the vendor reported about an incident in which bad actors used a fake code signing certificate supposedly belonging to Emsisoft in hopes of obfuscating an attack on one of Emsisoft’s customers.

“The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive,” Emsisoft wrote at the time, that while the attack failed when its product detected and blocked it. “This incident demonstrates the need for organizations to have multiple layers of protection so that, should one layer fail to block an attack, another layer will. It is called the Swiss cheese model.”