Whose signature?
Code signing requires that the authority who granted the certificate knows who signed the executable. Otherwise it wouldn't be a "signature" at all, would it? Should be easy to tell who from the key revocation announcement.
A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs. It appears miscreants have somehow gained access to the private signing key belonging to a Microsoft-registered third-party developer in Switzerland, …
Agreed, I use a Linux live distro for anything secure. Set the distro up to block ads etc, remaster as necessary. Make sure it runs totally in menmory, no Hds etc mounted.
Visit site, transact business, log out, reboot. For something like Puppy or its variants make sure there's no Savefile to save your settings etc for next time.
PITA I know but a little paranoia can be a good thing.
The problem is not with indows signature validation though is it?
The issue, as I see it (& please correct me if I am wrong), is a developers signature credentials (private key, or password for same, and the cert) have been knicked and now are in the hands of malware authors, without the certificate authorities revoking the certificate.
Given the validation process on the xBox for checking passwords, perhaps the name on the certificate is a red herring. Perhaps windows doesn't even check the certificate if the downloaded file is unencrypted but just says it is. Has anybody checked?
Microsoft - so secure that a 5year old can crack it.
http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/
Someone's cert has been stolen. And, presumably, their keys to other things as well...
That's their problem. It's our problem - and your problem, and Microsoft's problem, if the Certificate Revocation mechanisms aren't working.
● Is this about a certificate not being revoked?
● Or is it all about Windows failing to check the cert before installing?
If the cert isn't beng revoked, we might just see if certificate authority can be withdrawn, or or blacklisted as untrustworthy; or just waved through, move along, nothing to see.
And as for a major OS vendor's installer failing to check for revocation and act on it - that's *unthinkable*. Said Paris, because all serious remarks on the The Register are parody.