Recent changes in Qualys Coverage for Microsoft WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900)

On January 21st, 2022, Microsoft republished the advisory for CVE-2013-3900 to provide guidance for the vulnerability and its applicability to Modern Windows OS such as Windows 10 and Windows 11. While the vulnerability was fixed years ago, the stricter Windows Authenticode signature verification for portable executable (PE) files has always been an opt-in feature. Microsoft chose to keep the behavior as an opt-in feature because enforcing the stricter validation would have led to the failure of installation of some installers that were genuine but had unsigned PE files. More details regarding CVE-2013-3900 can be found here. 

Keeping the above guidance in mind, Qualys released an IG QID 45526 to cover Modern Windows OS so that customers can evaluate their environment and then decide if they want to upgrade that IG to a Vuln QID. The IG QID was released on 20^th, April 2022.

Recently, it was discovered that Threat Actors were leveraging this 10-year-old Microsoft WinVerifyTrust Signature Validation vulnerability (CVE-2013-3900) in the 3CX Supply Chian Attack. More information and Qualys coverage for the 3CX Supply Chain Attack can be found here.

As a result of this recent development and customer feedback, we decided to release a new Vuln QID 378332 so that all our customers can track this CVE in their environment more actively. The old IG QID 45526 will be deprecated on April 25th, 2023, and will no longer be available.