3CX breach highlights Windows flaw with non-mandatory fix

The large-scale supply chain attack targeting voice-over-Internet-protocol communications firm 3CX exploited a Windows flaw designated CVE-2013-3900 and described as a "WinVerifyTrust Signature Validation Vulnerability," in which one of two DLLs that were replaced with malicious versions for the attack was still designated as legitimately signed by Microsoft, BleepingComputer reports. According to ANALYGENCE senior vulnerability analyst Will Dormann, this particular vulnerability is 10 years old, having been disclosed by Microsoft on Dec. 10, 2013, and continues to be exploited to this day, allowing attackers to add content to the EXE's authenticode signature section in a signed executable without it affecting the signature's validity. Microsoft introduced a fix for this vulnerability on an opt-in basis, which can only be performed through a manual edit of the Windows Registry. However, Windows 10 users who employ this fix will find that it has been removed if they update to Windows 11, reopening their device to the vulnerability.