CVE-2012-0151

What is Windows Authenticode?

Windows Authenticode is the code signing framework used to verify the authenticity and integrity of executable files (PE files: .exe, .dll, .sys, .cab). When a publisher signs a file, a cryptographic hash (digest) of the file contents is embedded in the signature. WinVerifyTrust is the Windows API function that validates this signature — it checks that the certificate chain is trusted and that the file's actual content matches the signed digest. A flaw in this verification process can allow attackers to modify a signed file without invalidating the signature, effectively defeating one of Windows' core trust mechanisms.

Overview

CVE-2012-0151 is an improper input validation vulnerability (CWE-20) in the WinVerifyTrust function in Microsoft Windows. The function fails to correctly validate the digest of a signed portable executable (PE) file, allowing an attacker to append arbitrary data or code to a legitimately signed PE file while the Authenticode signature remains valid. This means malware can masquerade as a trusted, digitally signed binary.

Microsoft patched this in Security Bulletin MS12-024 on April 10, 2012.

Affected Versions

Technical Details

Authenticode PE signature verification works by hashing specific sections of a PE file according to a defined algorithm, then verifying that hash matches the signed digest. CVE-2012-0151 arises because WinVerifyTrust did not properly account for data appended after the end of the PE file's last section — data outside the measured portions of the file.

An attacker can:

1. Obtain a legitimately signed PE file from a trusted publisher
2. Append arbitrary code or data after the verified portion
3. Craft a PE that executes the appended malicious code
4. The resulting file passes WinVerifyTrust and appears fully trusted to Windows security checks

This bypasses User Account Control (UAC) prompts, application allowlisting based on signed publisher trust, and security software that relies on Authenticode validity as a trust signal.

Attack vector: Local/UI:Required — the victim must execute the crafted file. The attack is typically delivered via social engineering (email attachment, download link) and relies on the apparent legitimacy of the Authenticode signature to convince the user to run it.

Discovery

The vulnerability was discovered through security research into the Authenticode signing verification process and coordinated with Microsoft before the MS12-024 patch release.

Exploitation Context

CISA confirmed exploitation in the wild. This vulnerability is particularly effective for social engineering campaigns targeting organizations with "run only signed applications" policies — the apparent Authenticode trust can bypass both technical controls and user suspicion. Malware authors used this technique to trojanize otherwise legitimate signed installers or system utilities.

Remediation

1. Apply MS12-024 on all affected Windows systems immediately
2. Modern Windows versions (8.1+) include stricter Authenticode validation that addresses this class of issue — prioritize upgrading end-of-life Windows versions
3. Supplement Authenticode trust with additional controls: application allowlisting based on file hash rather than certificate alone, endpoint detection that analyzes PE structure, and sandboxing
4. Do not treat Authenticode signature presence as a sufficient trust signal for allowing execution — validate against known-good hashes from authoritative sources