Two issues have been reported in the Windows File Protection Mechanism. Both are considered design flaws in the WPF.

The first allows a remote user to create digitally signed code using certificates that will cause the target user's Windows operating system to trust the signature on the code. According to the report, the Microsoft Windows File Protection mechanism will trust any code-signing digital signature that has a trust chain to any of the Trusted Root Certification Authorities that are configured for that operating system.

A remote user can create malicious code and digitally sign the code with a certificate with a trusted Root CA so that Windows will trust the code. Also, the report states that a malicious digitally signed file will take priority over an authentic WFP-signed file.

While there is no solution from Microsoft available at this time, it is recommended that you delete your default Root CA Certificates and ignore Windows File Protection.


The second issues reported is that the WFP (Windows File Protection) mechanism in Win XP/Prowill leave old security catalogs (.CAT files) containing valid digital signatures in the %WinDir%\System32\CatRoot directory when new files and security catalogs are installed. This may permit a local user to modify certain files on the file system and replace them with older versions containing vulnerabilities in place of the newer fixed files without detection by the WFP system. Because old hash codes are given the same priority and authentication as newer ones, an admin would have to inspect full-file hashes against known authentic hashes to determine if a file has been replaced.

Win XP and .Net Server 2003 have procedures allowing administrators to implement Software Restriction Policies that provide a static access policy for governing software modifications.

It is further advised that old vendor provided security catalogs (.CAT files) be deleted and new ones created by administrators.

Courtesy of: Forensics.org