Microsoft Warns Windows 11 Features Are Failing Due To Its Expired Certificate (theverge.com) 109
Microsoft has started warning Windows 11 users that certain features in the operating system are failing to load due to an expired certificate. The certificate expired on October 31st, and Microsoft warns that some Windows 11 users aren't able to open apps like the Snipping Tool, touch keyboard, or emoji panel. From a report: A patch is available to fix some of the issues, but it's currently in preview, meaning you have to install it manually from Windows Update. The patch, KB4006746, will fix the touch keyboard, voice typing, emoji panel, and issues with the getting started and tips sections of Windows 11. You'll be able to find this patch by checking for updates in the Windows Update section of Settings in Windows 11. Microsoft's patch doesn't address the problems with the Snipping Tool app, though. "To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document," recommends Microsoft. "You can also paste it into Paint to select and copy the section you want."
Snipping Tool? (Score:5, Insightful)
Why on Earth does a program like the snipping tool need a certificate validation?
Comment removed (Score:5, Informative)
Re: (Score:1)
Not even admin users have access to system files though. If the hacker already has so much priviledge, it will start encrypting documents and demand some bitcoin.
Re: (Score:1)
Re: Snipping Tool? (Score:2)
Re: (Score:2)
too many privilege escalation vulnerabilities. last year has been pretty rough.
Re: (Score:2)
So a hacker can't find a bug that lets them replace the snipping tool with a malware infested alternative?
Microsoft has done code signing for a while. I guess it makes sense that the signatures would be tied to a certificate. The WTF here is that they're using a cert that expires so soon (or expires at all.)
Code or signatures are signed using a timestamp anchor to prevent exactly these types of problems from occurring.
Re: Snipping Tool? (Score:3)
Any good hacker will be able to work around that.
If Microsoft can install a new certificate, so can a hacker.
Re: (Score:2)
I don't think you understand how certificates work.
Re: (Score:1)
On the contrary - there's always a weak point.
Just find the weak point and exploit it.
Re: (Score:2)
Re: (Score:3)
Well, the other issue would be that the signing authority's cert will expire some day, which invalidates all certificates that were signed by that certificate. One way or another, there will be an expiration.
I think the ideal scenario would be that it would happen more than 30 days after launch though. What a spectacular cock-up.
Re: (Score:2)
My understanding is that timestamping solves this problem too. It's not an area where I'm an expert though.
Re: (Score:2)
Re: (Score:2)
I doubt Microsoft cares about Windows 11 not working when it's long out of support.
Re: (Score:2)
Re: (Score:3)
or expires at all
Certificate expiry is a necessary security feature that keeps the signing process up to date with evolving security standards. What works today, may not work tomorrow. A certificate which works in perpetuity results in decreasing security over time (normally not linear, but rather taking a major jumps such as when the SHA-1 collision was discovered).
The WTF here is that I fully expected their own certificates in their own OS to not expire since they are in control of the certificates used, the signing, and
Re: (Score:2)
I don't care if security slowly goes down over time, Once the app is validated once, it should stay validated, simply upgrade the apps with a new certificate every so often, clearing the old validation, but if the user chooses not to upgrade or apply security patches, or the product goes out of support, security can go down that is a known risk of not updating your software.
Re: (Score:2)
I don't care if security slowly goes down over time
Fortunately for the rest of the world, security practices don't give a crap what you care about.
Once the app is validated once, it should stay validated
No thanks. We shouldn't degrade security simply because you don't understand something or don't care about something.
that is a known risk of not updating your software.
We have 30 years of evidence showing the dumbest thing anyone can do is let a user determine risk of not updating. I'd be right there with you right as soon as computers are automatically booted from the internet. Update your software, get your COVID vaccine. The two go hand in hand.
Re: (Score:2)
Microsoft has done code signing for a while.
Yep, you'd think they would have figured how to do it right. JFC, they're the biggest software company in the fucking world and have been at this for forty fucking years.
Re: (Score:2)
Re:Snipping Tool? (Score:4, Insightful)
Why on Earth does a program like the snipping tool need a certificate validation?
That was my thought too. I imagine it's so MS can exert control (on purpose) at some point ... You know all those people still using old versions of Windows, Office and other MS apps? How are they going to do that in the future when the certificates expire.
Re: (Score:2)
this.
Re: (Score:2)
How are they going to do that in the future when the certificates expire.
By filing charges against them in court for timebombing purchased software.
Re: (Score:2)
By filing charges against them in court for timebombing purchased software.
Microsoft win in that case. They either outspend the other side in court or settle for a tiny fraction of the profit they made.
The courts are the worst possible remedy.
Re: (Score:2)
You mean something like this:
We at Microsoft think you have been a bad Bad BOY so we are invalidating your certificate. You shall not SNIP again!!
Re: (Score:2)
Read the posts above yours, they answer your question.
Re: (Score:2)
Re: Snipping Tool? (Score:2)
Re:Snipping Tool? (Score:5, Interesting)
My guess? To upload the clipboard to the cloud for analysis.
I suppose it's only a matter of time before you won't even be able to use the latest version of Windows on an air-gapped system...
Re: (Score:2)
Consequence of Microsoft's design decisions... (Score:2)
I suppose it's only a matter of time before you won't even be able to use the latest version of Windows on an air-gapped system...
I have to work in an air-gapped facility.
In recent versions of Microsoft Office, the Help system depends on an internet connection that we don't have.
Nobody is using advanced features of Office anymore, because we can't get to the documentation on how to use them.
Ok, so the certificate expired. (Score:1)
Just reissue it, eh? Or is that too obvious?
Re:Snipping Tool? (Score:5, Informative)
The snipping tool doesn't need a certificate. The snipping tool is signed. The OS verifies the signature by using a certificate. The certificate that proves the signature is valid is expiring.
Re: (Score:2)
The OS verifies the signature by using a certificate. The certificate that proves the signature is valid is expiring.
This is a really broken system if things which were signed when the certificate was valid can no longer be validated - It's not like this is an unsolved problem;
there is such a thing as using a trusted timestamping service to verify the date a certain signature Id was made and permanently cache the record to use for future validations.
Re: (Score:3)
There is no such thing as 'signing when the certificate [is] valid'. You do not sign with a certificate, valid or otherwise. You sign with a key. The certificate just gives you information to determine if you trust that key. And that trust can change over time. Things like 'permanently trusting' have no place in security.
Timestamping is still dependent on chain of trust. (Score:2)
It is important to remember that trust is generally inherited. Code signing certificates with time stamping 'solve' the problem of expiring code-signing certificates by instructing the software to check with that the code-signed certificate was valid at the time it was signed. So, someone with the original private key needs to be answering where the software checks.
In order to trust what the server of the original signing party says, a valid chain of trust is still required. The end-use public certificat
Re: (Score:2)
It's not like this is an unsolved problem;
That's a misunderstanding of security. The "problem" here is the evolving nature of security and how cryptographic signatures devolve over time (e.g. someone discovered a collision in SHA-1 and suddenly the trust of all these certificates is broken).
The solution to this problem is mandatory certificate expiry. Literally all cryptographic signatures used to validate a trust chain have an expiry period.
Re: Snipping Tool? (Score:2)
Someone has literally never heard of timestamping. It's literally in the post above yours.
Re: (Score:2)
Nope, timestamping doesn't solve the problem, all it does is work around certificate expiry issues by opening the process up to all of the problems which already exist.
Again, trust in perpetuity is not trust. Just because a certificate is trusted today does not mean it can be trusted tomorrow, regardless of any timestamping. That's precisely the problem that expiry aims to solve.
Re: Snipping Tool? (Score:2)
How do you intend to authenticate this trusted timestamp service?
Re:Snipping Tool? (Score:5, Funny)
I don't care much about snipping tool. But no Emoji Panel! No way will I pay for Windows 11 without that!
Snip this! (Score:1)
Can the snipping tool snip out cert-based applications?
Re: (Score:2)
Dude, that's like asking why a few pages of text needs Kubernetes and a few dozen 3rd party JavaScripts. If you start asking questions like that, the whole proposition kind of falls apart. Won't you please consider all the Bay Area rents of the various parties involved? There are literally children's lives at stake.
Re: (Score:3)
It doesn't. It's just that it's a code-signed program whose signing certificate expired. So the program cannot execute because Windows can not verify the integrity of the app.
Re: (Score:2)
because Windows can not verify the integrity of the app
But it did once. When it was first installed.
What is it doing? Re-checking the certificate every time I want to cut and paste? What happens when I'm using my app beyond available Internet connectivity? (This is the USA, with some of the shittiest broadband coverage outside of third world countries.)
I could understand a certificate utility that checks through installed apps and warns the user that some are about to expire and you'd better drive into town and find a Starbucks with WiFi. But to have these th
Re:Snipping Tool? (Score:5, Insightful)
I would like to know how someone is shipping an operating system with a volume like Windows, and not checking their certificate expirations to make sure there's more than 30 days left.
Seriously, what the fuck. They haven't even gotten through their first month on the market and they already have shit failing from expiring certificates? That's such a 15-years-ago problem.
Re: (Score:3)
Why on Earth does a program like the snipping tool need a certificate validation?
Because it sends valuable data about you to Microsoft, and they take care of their minions.
Re: (Score:2)
So you have a shred, an atom of evidence for that?
Re: (Score:2)
So you have a shred, an atom of evidence for that?
Don't like sarcasm? But then again - do you have a shred, an atom of evidence that they don't?
Re: (Score:2)
Are you seriously trying to imply on slashdot that win10 and 11 aren't spyware?
Re: (Score:2)
No, Windows 10/11 are spyware, but specifically about the Snipping Tool being signed.
Re: Snipping Tool? (Score:2)
Re: (Score:2)
>
If thatâ(TM)s a genuine question, I wish I could say that youâ(TM)re on the wrong forumâ¦.
>
>Unsigned exes are not welcome in many enterprise environments. In my case, departments legitimately trying to introduce app versions that have been incorrectly signed set off flags for the ops and cyber teams and we help them (usually remind them) to remediate.
It was a genuine question. No one is saying the exe in question is unsigned. You can take it as given that I do understand certs and signing and all that goes along with it. I've implemented production CAs and written certs standards for device certificates we all use and have a healthy dislike for the current cert standards. However for software that is signed within a trust hierarchy that can be validated to a trusted root cert that was valid and trusted at the time of installation to then be calling
Re: (Score:3)
To ensure your license does not go "stale".
Yes, I'm serious. If you use Visual Studio, MS requires you to regularly log in to their servers or else the software will be deactivated. MS explicitly says they will not invalidate or expire your license to use the software, but your license may go "stale".
Re: (Score:2)
That's less of a surprise to me. I work in a similarly large megacorp and I know exactly how this sort of thing gets dropped on the floor. People think they know what their job is and sub organizations think they know what their jobs are. But no one knows what all the jobs are across the company and so no one notices if one of them is not being done.
I run into the downstream consequences of this all the time and am currently over employed putting things back together.
True story that happened within the last
Microsoft is BADLY managed? (Score:3, Insightful)
Re: (Score:2)
I don't think they have ever been well managed. They are a city of silos all built on sand. JFC, they're the biggest software company in the fucking world and have been at this for forty fucking years, you'd think they could figure it out by now.
Yet another failure of Windows Code Signing (Score:5, Interesting)
The Windows Code Signing program is a complete disaster. The certificates themselves are super expensive and there is no guarantee that counter-signed, timestamped, expired certs will continue to run past their expiry.
Microsoft needs to take a long, hard look at their digital signature program and revamp it and make it reasonably affordable again. If I were them, I'd also consider adding DNSSEC DANE TLSA, GPG signature, and/or GitHub repo signature/validation support to the program as zero-cost options. Digital signatures just verify that binaries haven't been modified in between the source and destination. They are not a valid solution for stopping malware.
Re: (Score:2)
Signatures provide proof of the source. They are very much a valid solution for stopping malware. You can verify that the binaries haven't changed with a simple hash, no need for signatures.
Re: (Score:1)
This seems like a contradiction. Perhaps you really mean, "While certificate signatures are a valid way to stop malware, they are overkill because binaries can be verified with a simple hash."
Re: (Score:2)
A simple hash can be created by anyone. But signatures are asymmetric. Microsoft (or the dev) can create them from the hash and anyone with the pub key can decrypt and verify it.
Re: (Score:3)
No contradiction, and not overkill. Signatures protect at run-time. When the OS is going to execute something, it verifies the signature. This shows two things: the binary has not been modified (at any point), and the program comes from a 'trusted' source. The 'trust' is provided by the signature and it's verification against a trusted certificate. One certificate can protect an unlimited number of programs. To do the same thing with a hash, you would need to have an uncorruptable database of the has
Re: (Score:3)
Signatures protect at run-time. When the OS is going to execute something, it verifies the signature. This shows two things: the binary has not been modified ....
No.. Signatures help establish authenticity when something is being distributed and protect against simple tampering only.
In the case of run-time, and malware intrusion: the entire binary can been replaced with a Non-Signed binary which is now a "valid" .Exe because it is not signed at all, Or the replacement .Exe may be a newly-Signed binary
Re: (Score:2)
None of what you said has anything to do with signatures. The fact that you can run an unsigned binary is a flaw in Windows, not in the concept of signing. The fact that two different trusted sources can release same-named binaries has nothing to do with signatures. The fact that a compromised system is untrustworthy has nothing to do with signatures.
My point stands: signatures prove the source AND authenticity of something in a properly implemented system. They do not 'just show that the binaries have n
Re: (Score:2)
The fact that you can run an unsigned binary is a flaw in Windows, not in the concept of signing.
The subject is the actual windows code signing feature that exists; not some theoretical code signing feature that requires 100% of every possible executable or script to be signed that would not work, because it's just plain not supportabled for many existing scripting languages, Office macros, etc and would break Windows' cherished backwards compatibility.
The fact you can run unsigned code invalidates the unqu
Re: (Score:2)
Signatures provide proof of the source. They are very much a valid solution for stopping malware.
Signatures are to resist tampering of a product and counterfeit binaries, they are not a valid solution for preventing the distribution of the predominant forms of malware. The malware just comes either signed with a legitimate developer's certificate, because the supply chain was compromised, or more often with no certificate at all - Many legitimate programs are Not signed because of the complexity and co
Re: (Score:2)
Re: (Score:2)
MacOS enforces application signatures by default, not running unsigned or mis-signed apps without a little work on the user's part.
Actually not.. they only enforce signing on some apps.. Mainly: Apps in their app store. And they will block unidentified apps downloaded from the internet (as identified by filesystem-level metadata that web browsers on OSX add to downloaded files).
This helps establish Authenticity for distributing software, but it does not prevent tampering if a malicious program
Re: (Score:2)
there is no guarantee that counter-signed, timestamped, expired certs will continue to run past their expiry.
I probably misunderstood something, but that sounds like a good thing. Why would you want a certificate to continue to be valid past its expiration date?
Software Preservation (Score:3)
Re: (Score:1)
Re: Software Preservation (Score:4, Informative)
Re: (Score:2)
it's concerning these bits of software don't work at all once that chain of trust is expired.
No, that's not concerning, that's a design feature. You can't have a chain of trust without a way to break the chain. :-)
What is concerning is that Microsoft doesn't trust Microsoft and thus put an expiry on their own self signed certificates
Re: (Score:2)
Of course if the proper dialog to bypass and run does come up if you run the software by hand
If you're going to do that you may as well not bother with certificates at all, since everyone but the most security conscious will just click through the warning without reading it, let alone understanding it.
Let's encrypt everything! (Score:2)
Unable to load comment. Please update certificates for sarcasm, snark, and I told you so to see it.
Two Words (Score:3)
"Alpha Software"
Many more words:
I don't get why people have to rush out and be bug finders for another company, worse yet, putting said alpha software on production systems (yes, this kind of BS has been broached where I work...) and then acting surprised when it goes tits up, because why?
"Alpha Software"
Re: (Score:2)
Indeed. The ultimate expression of complete disrespect for the customer.
Re: Two Words (Score:3)
I like the snipping tool (Score:2)
but on both my everyday systems, I've found it occasionally just 'fails to work' or forgets the win+shift+S keystroke shortcut.
Re: (Score:2)
I prefer Greenshot by a wide margin. Super easy, lots of save flexibility (I open in editor and copy to clipboard, so I can just paste or do a quick edit/copy/paste).
Re: (Score:2)
TIL, I will absolutely give that a shot.
Thanks!
MicroCrap (Score:3, Informative)
They cannot even get a major release right. What a bunch of fuckups.
Re: (Score:3, Insightful)
They cannot even get a major release right. What a bunch of fuckups.
Who does get a major release right?
Debian who roll out systemd with a major release? ... Actually that last one sounds pretty good.
Redhat who depreciate their entire purpose of being by changing to rolling release with a major release?
Apple who brick Macs and break software with a major release?
OpenBSD who bore people to death with a major release?
Re: (Score:2)
hp48g
there were 5 releases in total
the entire system has fewer than 12 total bugs, most of which circumventable, all of them trivially preventable.
Re: MicroCrap (Score:2)
Not necessarily defending MS here, but they werenâ(TM)t alone in this debacle. Scores of large software companies and cloud services providers were affected by this root certificate expiration. It was a 25 year cert.
Re: (Score:2)
Amateurs all around. If these people had been doing it right, they would have checked all certs at least yearly.
Re: (Score:2)
This is not new. :P
Re: (Score:2)
This is not new. :P
No, it is not. It is an established pattern over multiple decades.
Nice app rental you have there... (Score:4, Insightful)
Eventually windows will be completely free to install (legally speaking), but you will have to subscribe to get updated certificates so that you can run Clippy, er I mean Notepad.
That Was Fast (Score:4, Funny)
The hierarchy of face-palm memes explained: (Score:3)
1. The classic facepalm: https://knowyourmeme.com/memes... [knowyourmeme.com]
2. The double facepalm: https://knowyourmeme.com/photo... [knowyourmeme.com]
3. The triple facepalm: https://knowyourmeme.com/photo... [knowyourmeme.com]
4. The implied facepalm: https://knowyourmeme.com/photo... [knowyourmeme.com]
5. An this most epic of next level facepalm: "To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document,"
Re: (Score:2)
To mitigate the issue with Windows, head to http://www.apple.com/ [apple.com]
Re: (Score:1)
At least you made an attempt. It wasn't a good attempt, but it was an attempt.
https://www.linux.org/ [linux.org]
Re: (Score:2)
> To mitigate the issue with Windows, head to http://www.apple.com/ [apple.com]
You misspelled https://linuxmint.com/ [linuxmint.com] :)
Re: (Score:2)
No. I can't install macOS on my PC. https://www.debian.org/ [debian.org] is a far better link.
Seems robust (Score:2)
Seems robust... if they miss anything it appears your system is hosed.
It looks like the whole operating system has a massive a dependency on Microsoft and it doesn't look like there's anything I can do to fix the problems if Microsoft drops the ball like they are here so I'm just going to have to say no to that bull.
A lot of bad takes (Score:2)
A lot of bad takes in here from people who donâ(TM)t seem to understand how certificate chains actually work, and how certificates are used to authenticate.
That said, I believe my organization is experiencing an outage due to this root cert expiration. I have an app service hosted in an Azure App Service Environment which is failing to establish tls connections to any other web server with an âoeuntrusted rootâ error. I do not have full access to the operating system as it is PaaS and not a V
What they don't tell you... (Score:2)
... Is that Windows Update was a tool that was affected. (We can but hope)
Par for the course (Score:2)
So far, Win11 is a giant clusterfuck that isn't even worth my time or bandwidth. 5GB ISO download, can't install it on vmware player even with the TPM hack, much less Virtualbox. Various web articles want me to jump through hoops, downloading utilities that modify the ISO to skip all the stupid checks.
As a primarily OSX/Linux user, I choose to skip this whole shitshow garbagefest.
I only use Win10 for work and in a VM environment with a locked-down host-only network adapter, where everything goes through an