Kaspersky, the makers of some great PC security tools, reported this week of an interesting hole in the Windows platform.
Apparently, if the security certificate being used to install software onto your system has been tampered with, Windows does not pick this up, and fails to report this important breach of the security regime.
it seems that a new worm that surfaced a month or so ago, Stuxnet, used fake Verisign digital certificates issued to hardware manufacturer Realtek Semiconductor. Those certificates had already been revoked by both Microsoft and Verisign, but yet the worm was able to be installed on systems.
Kaspersky Lab’s Roel Schouwenberg looked at how Microsoft was handling digitally signed files. Having removed the signature of the digital certificate from a legitimate software package, he then installed the package on his computer. There was no indication that the certificate had been modified,
The underlying problem here is that fake certificates can cause issues with the reputation based approach that many anti-virus vendors are taking to protection.