Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Windows Operating Systems IT

Microsoft Warns Windows 11 Features Are Failing Due To Its Expired Certificate (theverge.com) 109

Microsoft has started warning Windows 11 users that certain features in the operating system are failing to load due to an expired certificate. The certificate expired on October 31st, and Microsoft warns that some Windows 11 users aren't able to open apps like the Snipping Tool, touch keyboard, or emoji panel. From a report: A patch is available to fix some of the issues, but it's currently in preview, meaning you have to install it manually from Windows Update. The patch, KB4006746, will fix the touch keyboard, voice typing, emoji panel, and issues with the getting started and tips sections of Windows 11. You'll be able to find this patch by checking for updates in the Windows Update section of Settings in Windows 11. Microsoft's patch doesn't address the problems with the Snipping Tool app, though. "To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document," recommends Microsoft. "You can also paste it into Paint to select and copy the section you want."
This discussion has been archived. No new comments can be posted.

Microsoft Warns Windows 11 Features Are Failing Due To Its Expired Certificate

Comments Filter:
  • Snipping Tool? (Score:5, Insightful)

    by TechyImmigrant ( 175943 ) on Thursday November 04, 2021 @01:12PM (#61957649) Homepage Journal

    Why on Earth does a program like the snipping tool need a certificate validation?

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday November 04, 2021 @01:18PM (#61957665)
      Comment removed based on user account deletion
      • by Gabest ( 852807 )

        Not even admin users have access to system files though. If the hacker already has so much priviledge, it will start encrypting documents and demand some bitcoin.

        • by Anonymous Coward
          Root access by the primary user has always been a problem with windows, while they've made efforts to restrict the permissions, you clearly don't know what the fuck you're talking about.
          • Windows does not have root. That is a *nix paradigm. The windows equivalent would be administrator or system. In either case, you use a regular user account for every day work, and a specific admin account for escalation only when needed.
        • too many privilege escalation vulnerabilities. last year has been pretty rough.

      • So a hacker can't find a bug that lets them replace the snipping tool with a malware infested alternative?

        Microsoft has done code signing for a while. I guess it makes sense that the signatures would be tied to a certificate. The WTF here is that they're using a cert that expires so soon (or expires at all.)

        Code or signatures are signed using a timestamp anchor to prevent exactly these types of problems from occurring.

      • I believe certs have to expire because they will be eventually broken by future tech.
        • Well, the other issue would be that the signing authority's cert will expire some day, which invalidates all certificates that were signed by that certificate. One way or another, there will be an expiration.

          I think the ideal scenario would be that it would happen more than 30 days after launch though. What a spectacular cock-up.

        • Comment removed based on user account deletion
      • or expires at all

        Certificate expiry is a necessary security feature that keeps the signing process up to date with evolving security standards. What works today, may not work tomorrow. A certificate which works in perpetuity results in decreasing security over time (normally not linear, but rather taking a major jumps such as when the SHA-1 collision was discovered).

        The WTF here is that I fully expected their own certificates in their own OS to not expire since they are in control of the certificates used, the signing, and

        • I don't care if security slowly goes down over time, Once the app is validated once, it should stay validated, simply upgrade the apps with a new certificate every so often, clearing the old validation, but if the user chooses not to upgrade or apply security patches, or the product goes out of support, security can go down that is a known risk of not updating your software.

          • I don't care if security slowly goes down over time

            Fortunately for the rest of the world, security practices don't give a crap what you care about.

            Once the app is validated once, it should stay validated

            No thanks. We shouldn't degrade security simply because you don't understand something or don't care about something.

            that is a known risk of not updating your software.

            We have 30 years of evidence showing the dumbest thing anyone can do is let a user determine risk of not updating. I'd be right there with you right as soon as computers are automatically booted from the internet. Update your software, get your COVID vaccine. The two go hand in hand.

      • by martinX ( 672498 )

        Microsoft has done code signing for a while.

        Yep, you'd think they would have figured how to do it right. JFC, they're the biggest software company in the fucking world and have been at this for forty fucking years.

      • Code signing certs don't explain it. When a code cert expires, all old code continues to work, you just can't sign new code with it, as it's backed by a timestamp server which acts as a rudimentary form of notary. If it didn't work that way, all old software would have stopped working long ago, along with old drivers and old scripts. This is down to a validation issue with online certs.
    • Re:Snipping Tool? (Score:4, Insightful)

      by fahrbot-bot ( 874524 ) on Thursday November 04, 2021 @01:19PM (#61957669)

      Why on Earth does a program like the snipping tool need a certificate validation?

      That was my thought too. I imagine it's so MS can exert control (on purpose) at some point ... You know all those people still using old versions of Windows, Office and other MS apps? How are they going to do that in the future when the certificates expire.

      • by laxguy ( 1179231 )

        this.

      • by mysidia ( 191772 )

        How are they going to do that in the future when the certificates expire.
        By filing charges against them in court for timebombing purchased software.

        • By filing charges against them in court for timebombing purchased software.

          Microsoft win in that case. They either outspend the other side in court or settle for a tiny fraction of the profit they made.
          The courts are the worst possible remedy.

      • You mean something like this:

        We at Microsoft think you have been a bad Bad BOY so we are invalidating your certificate. You shall not SNIP again!!

      • Read the posts above yours, they answer your question.

      • Microsoft is working towards a future where, when your Windows subscription lapses, all of your documents, everywhere, lock until you pay up. Whenever you find yourself thinking âoeWhy would M$ do that?â Remember that.
    • Re:Snipping Tool? (Score:5, Interesting)

      by The-Ixian ( 168184 ) on Thursday November 04, 2021 @01:19PM (#61957671)

      My guess? To upload the clipboard to the cloud for analysis.

      I suppose it's only a matter of time before you won't even be able to use the latest version of Windows on an air-gapped system...

      • With Win11 are we sure we're not there already?
      • I suppose it's only a matter of time before you won't even be able to use the latest version of Windows on an air-gapped system...

        I have to work in an air-gapped facility.

        In recent versions of Microsoft Office, the Help system depends on an internet connection that we don't have.

        Nobody is using advanced features of Office anymore, because we can't get to the documentation on how to use them.

    • by Anonymous Coward

      Just reissue it, eh? Or is that too obvious?

    • Re:Snipping Tool? (Score:5, Informative)

      by bws111 ( 1216812 ) on Thursday November 04, 2021 @01:58PM (#61957813)

      The snipping tool doesn't need a certificate. The snipping tool is signed. The OS verifies the signature by using a certificate. The certificate that proves the signature is valid is expiring.

      • by mysidia ( 191772 )

        The OS verifies the signature by using a certificate. The certificate that proves the signature is valid is expiring.

        This is a really broken system if things which were signed when the certificate was valid can no longer be validated - It's not like this is an unsolved problem;
          there is such a thing as using a trusted timestamping service to verify the date a certain signature Id was made and permanently cache the record to use for future validations.

        • by bws111 ( 1216812 )

          There is no such thing as 'signing when the certificate [is] valid'. You do not sign with a certificate, valid or otherwise. You sign with a key. The certificate just gives you information to determine if you trust that key. And that trust can change over time. Things like 'permanently trusting' have no place in security.

        • It's not like this is an unsolved problem;

          That's a misunderstanding of security. The "problem" here is the evolving nature of security and how cryptographic signatures devolve over time (e.g. someone discovered a collision in SHA-1 and suddenly the trust of all these certificates is broken).

          The solution to this problem is mandatory certificate expiry. Literally all cryptographic signatures used to validate a trust chain have an expiry period.

          • Someone has literally never heard of timestamping. It's literally in the post above yours.

            • Nope, timestamping doesn't solve the problem, all it does is work around certificate expiry issues by opening the process up to all of the problems which already exist.

              Again, trust in perpetuity is not trust. Just because a certificate is trusted today does not mean it can be trusted tomorrow, regardless of any timestamping. That's precisely the problem that expiry aims to solve.

        • How do you intend to authenticate this trusted timestamp service?

    • by Darinbob ( 1142669 ) on Thursday November 04, 2021 @02:01PM (#61957821)

      I don't care much about snipping tool. But no Emoji Panel! No way will I pay for Windows 11 without that!

    • Can the snipping tool snip out cert-based applications?

    • Dude, that's like asking why a few pages of text needs Kubernetes and a few dozen 3rd party JavaScripts. If you start asking questions like that, the whole proposition kind of falls apart. Won't you please consider all the Bay Area rents of the various parties involved? There are literally children's lives at stake.

    • by tlhIngan ( 30335 )

      Why on Earth does a program like the snipping tool need a certificate validation?

      It doesn't. It's just that it's a code-signed program whose signing certificate expired. So the program cannot execute because Windows can not verify the integrity of the app.

      • by PPH ( 736903 )

        because Windows can not verify the integrity of the app

        But it did once. When it was first installed.

        What is it doing? Re-checking the certificate every time I want to cut and paste? What happens when I'm using my app beyond available Internet connectivity? (This is the USA, with some of the shittiest broadband coverage outside of third world countries.)

        I could understand a certificate utility that checks through installed apps and warns the user that some are about to expire and you'd better drive into town and find a Starbucks with WiFi. But to have these th

    • Re:Snipping Tool? (Score:5, Insightful)

      by MachineShedFred ( 621896 ) on Thursday November 04, 2021 @04:02PM (#61958199) Journal

      I would like to know how someone is shipping an operating system with a volume like Windows, and not checking their certificate expirations to make sure there's more than 30 days left.

      Seriously, what the fuck. They haven't even gotten through their first month on the market and they already have shit failing from expiring certificates? That's such a 15-years-ago problem.

    • Why on Earth does a program like the snipping tool need a certificate validation?

      Because it sends valuable data about you to Microsoft, and they take care of their minions.

      • by AmiMoJo ( 196126 )

        So you have a shred, an atom of evidence for that?

        • So you have a shred, an atom of evidence for that?

          Don't like sarcasm? But then again - do you have a shred, an atom of evidence that they don't?

        • by MrL0G1C ( 867445 )

          Are you seriously trying to imply on slashdot that win10 and 11 aren't spyware?

          In-depth system specifications, as well as details on your PCâ(TM)s overall health and hardware capabilities
          App logs showing which apps youâ(TM)ve launched, timestamps, and how quickly they respond to your input
          Browser activity logs that show which sites you visit and what you search for. Notably, this only collects data from Internet Explorer and Microsoft

    • If thatâ(TM)s a genuine question, I wish I could say that youâ(TM)re on the wrong forumâ¦. Unsigned exes are not welcome in many enterprise environments. In my case, departments legitimately trying to introduce app versions that have been incorrectly signed set off flags for the ops and cyber teams and we help them (usually remind them) to remediate.
      • >

        If thatâ(TM)s a genuine question, I wish I could say that youâ(TM)re on the wrong forumâ¦.
        >
        >Unsigned exes are not welcome in many enterprise environments. In my case, departments legitimately trying to introduce app versions that have been incorrectly signed set off flags for the ops and cyber teams and we help them (usually remind them) to remediate.

        It was a genuine question. No one is saying the exe in question is unsigned. You can take it as given that I do understand certs and signing and all that goes along with it. I've implemented production CAs and written certs standards for device certificates we all use and have a healthy dislike for the current cert standards. However for software that is signed within a trust hierarchy that can be validated to a trusted root cert that was valid and trusted at the time of installation to then be calling

    • To ensure your license does not go "stale".

      Yes, I'm serious. If you use Visual Studio, MS requires you to regularly log in to their servers or else the software will be deactivated. MS explicitly says they will not invalidate or expire your license to use the software, but your license may go "stale".

  • by Anonymous Coward on Thursday November 04, 2021 @01:18PM (#61957667)
    This story seems to be another of the many indications that Microsoft is badly managed.
    • by martinX ( 672498 )

      I don't think they have ever been well managed. They are a city of silos all built on sand. JFC, they're the biggest software company in the fucking world and have been at this for forty fucking years, you'd think they could figure it out by now.

  • by bustinbrains ( 6800166 ) on Thursday November 04, 2021 @01:21PM (#61957677)

    The Windows Code Signing program is a complete disaster. The certificates themselves are super expensive and there is no guarantee that counter-signed, timestamped, expired certs will continue to run past their expiry.

    Microsoft needs to take a long, hard look at their digital signature program and revamp it and make it reasonably affordable again. If I were them, I'd also consider adding DNSSEC DANE TLSA, GPG signature, and/or GitHub repo signature/validation support to the program as zero-cost options. Digital signatures just verify that binaries haven't been modified in between the source and destination. They are not a valid solution for stopping malware.

    • by bws111 ( 1216812 )

      Signatures provide proof of the source. They are very much a valid solution for stopping malware. You can verify that the binaries haven't changed with a simple hash, no need for signatures.

      • by Tablizer ( 95088 )

        This seems like a contradiction. Perhaps you really mean, "While certificate signatures are a valid way to stop malware, they are overkill because binaries can be verified with a simple hash."

        • by Gabest ( 852807 )

          A simple hash can be created by anyone. But signatures are asymmetric. Microsoft (or the dev) can create them from the hash and anyone with the pub key can decrypt and verify it.

        • by bws111 ( 1216812 )

          No contradiction, and not overkill. Signatures protect at run-time. When the OS is going to execute something, it verifies the signature. This shows two things: the binary has not been modified (at any point), and the program comes from a 'trusted' source. The 'trust' is provided by the signature and it's verification against a trusted certificate. One certificate can protect an unlimited number of programs. To do the same thing with a hash, you would need to have an uncorruptable database of the has

          • by mysidia ( 191772 )

            Signatures protect at run-time. When the OS is going to execute something, it verifies the signature. This shows two things: the binary has not been modified ....

            No.. Signatures help establish authenticity when something is being distributed and protect against simple tampering only.

            In the case of run-time, and malware intrusion: the entire binary can been replaced with a Non-Signed binary which is now a "valid" .Exe because it is not signed at all, Or the replacement .Exe may be a newly-Signed binary

            • by bws111 ( 1216812 )

              None of what you said has anything to do with signatures. The fact that you can run an unsigned binary is a flaw in Windows, not in the concept of signing. The fact that two different trusted sources can release same-named binaries has nothing to do with signatures. The fact that a compromised system is untrustworthy has nothing to do with signatures.

              My point stands: signatures prove the source AND authenticity of something in a properly implemented system. They do not 'just show that the binaries have n

              • by mysidia ( 191772 )

                The fact that you can run an unsigned binary is a flaw in Windows, not in the concept of signing.

                The subject is the actual windows code signing feature that exists; not some theoretical code signing feature that requires 100% of every possible executable or script to be signed that would not work, because it's just plain not supportabled for many existing scripting languages, Office macros, etc and would break Windows' cherished backwards compatibility.

                The fact you can run unsigned code invalidates the unqu

      • by mysidia ( 191772 )

        Signatures provide proof of the source. They are very much a valid solution for stopping malware.

        Signatures are to resist tampering of a product and counterfeit binaries, they are not a valid solution for preventing the distribution of the predominant forms of malware. The malware just comes either signed with a legitimate developer's certificate, because the supply chain was compromised, or more often with no certificate at all - Many legitimate programs are Not signed because of the complexity and co

        • by tlhIngan ( 30335 )

          Signatures are to resist tampering of a product and counterfeit binaries, they are not a valid solution for preventing the distribution of the predominant forms of malware. The malware just comes either signed with a legitimate developer's certificate, because the supply chain was compromised, or more often with no certificate at all - Many legitimate programs are Not signed because of the complexity and costs, and People don't check that the certificate matches their expected developer before running progr

          • by mysidia ( 191772 )

            MacOS enforces application signatures by default, not running unsigned or mis-signed apps without a little work on the user's part.

            Actually not.. they only enforce signing on some apps.. Mainly: Apps in their app store. And they will block unidentified apps downloaded from the internet (as identified by filesystem-level metadata that web browsers on OSX add to downloaded files).

            This helps establish Authenticity for distributing software, but it does not prevent tampering if a malicious program

    • by nasch ( 598556 )

      there is no guarantee that counter-signed, timestamped, expired certs will continue to run past their expiry.

      I probably misunderstood something, but that sounds like a good thing. Why would you want a certificate to continue to be valid past its expiration date?

  • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Thursday November 04, 2021 @01:23PM (#61957683) Homepage
    While I can understand using certificates to validate the publisher/developer of software to determine trust, it's concerning these bits of software don't work at all once that chain of trust is expired. Of course if the proper dialog to bypass and run does come up if you run the software by hand, and it's only an issue with automated execution of these items, then it's not as bad I suppose. Still concerning from the aspect of future software preservation. The certificates won't be renewed forever.
    • Good point. Which might explain why XP remains so 'reliable' and successful to this day. Someone at Microsoft seems to have made changes since the days XP came and went. Which doesn't invalidate your point about future software preservation.
    • by sectokia ( 3999401 ) on Thursday November 04, 2021 @03:21PM (#61958093)
      On 31st Dec 2020 microsoftâ(TM)s root certificate authority, which has been in windows since 1997, expired. Anyone who didnâ(TM)t update windows 10 was hit by it, and still is if you install windows 10 from disc with no internet access from an pre 2019 image. Despite what people are claiming, this sort of signing has been part of windows since NT4.
    • it's concerning these bits of software don't work at all once that chain of trust is expired.

      No, that's not concerning, that's a design feature. You can't have a chain of trust without a way to break the chain.
      What is concerning is that Microsoft doesn't trust Microsoft and thus put an expiry on their own self signed certificates :-)

    • by nasch ( 598556 )

      Of course if the proper dialog to bypass and run does come up if you run the software by hand

      If you're going to do that you may as well not bother with certificates at all, since everyone but the most security conscious will just click through the warning without reading it, let alone understanding it.

  • Unable to load comment. Please update certificates for sarcasm, snark, and I told you so to see it.

  • by IWantMoreSpamPlease ( 571972 ) on Thursday November 04, 2021 @02:10PM (#61957857) Homepage Journal

    "Alpha Software"

    Many more words:

    I don't get why people have to rush out and be bug finders for another company, worse yet, putting said alpha software on production systems (yes, this kind of BS has been broached where I work...) and then acting surprised when it goes tits up, because why?

    "Alpha Software"

  • but on both my everyday systems, I've found it occasionally just 'fails to work' or forgets the win+shift+S keystroke shortcut.

    • I prefer Greenshot by a wide margin. Super easy, lots of save flexibility (I open in editor and copy to clipboard, so I can just paste or do a quick edit/copy/paste).

  • MicroCrap (Score:3, Informative)

    by gweihir ( 88907 ) on Thursday November 04, 2021 @02:45PM (#61957985)

    They cannot even get a major release right. What a bunch of fuckups.

    • Re: (Score:3, Insightful)

      by thegarbz ( 1787294 )

      They cannot even get a major release right. What a bunch of fuckups.

      Who does get a major release right?

      Debian who roll out systemd with a major release?
      Redhat who depreciate their entire purpose of being by changing to rolling release with a major release?
      Apple who brick Macs and break software with a major release?
      OpenBSD who bore people to death with a major release? ... Actually that last one sounds pretty good.

      • by gTsiros ( 205624 )

        hp48g

        there were 5 releases in total

        the entire system has fewer than 12 total bugs, most of which circumventable, all of them trivially preventable.

    • Not necessarily defending MS here, but they werenâ(TM)t alone in this debacle. Scores of large software companies and cloud services providers were affected by this root certificate expiration. It was a 25 year cert.

      • by gweihir ( 88907 )

        Amateurs all around. If these people had been doing it right, they would have checked all certs at least yearly.

    • by antdude ( 79039 )

      This is not new. :P

      • by gweihir ( 88907 )

        This is not new. :P

        No, it is not. It is an established pattern over multiple decades.

  • by Fly Swatter ( 30498 ) on Thursday November 04, 2021 @02:47PM (#61957991) Homepage
    Sure would bad if something were to happen to it.

    Eventually windows will be completely free to install (legally speaking), but you will have to subscribe to get updated certificates so that you can run Clippy, er I mean Notepad.
  • by organgtool ( 966989 ) on Thursday November 04, 2021 @03:47PM (#61958153)
    Windows 11 wasn't even out for a month before it went obsolete!
  • by thegarbz ( 1787294 ) on Thursday November 04, 2021 @04:07PM (#61958213)

    1. The classic facepalm: https://knowyourmeme.com/memes... [knowyourmeme.com]
    2. The double facepalm: https://knowyourmeme.com/photo... [knowyourmeme.com]
    3. The triple facepalm: https://knowyourmeme.com/photo... [knowyourmeme.com]
    4. The implied facepalm: https://knowyourmeme.com/photo... [knowyourmeme.com]
    5. An this most epic of next level facepalm: "To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document,"

  • Seems robust... if they miss anything it appears your system is hosed.

    It looks like the whole operating system has a massive a dependency on Microsoft and it doesn't look like there's anything I can do to fix the problems if Microsoft drops the ball like they are here so I'm just going to have to say no to that bull.

  • A lot of bad takes in here from people who donâ(TM)t seem to understand how certificate chains actually work, and how certificates are used to authenticate.

    That said, I believe my organization is experiencing an outage due to this root cert expiration. I have an app service hosted in an Azure App Service Environment which is failing to establish tls connections to any other web server with an âoeuntrusted rootâ error. I do not have full access to the operating system as it is PaaS and not a V

  • ... Is that Windows Update was a tool that was affected. (We can but hope)

  • So far, Win11 is a giant clusterfuck that isn't even worth my time or bandwidth. 5GB ISO download, can't install it on vmware player even with the TPM hack, much less Virtualbox. Various web articles want me to jump through hoops, downloading utilities that modify the ISO to skip all the stupid checks.

    As a primarily OSX/Linux user, I choose to skip this whole shitshow garbagefest.

    I only use Win10 for work and in a VM environment with a locked-down host-only network adapter, where everything goes through an

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...