Yincognito wrote: ↑August 6th, 2024, 7:24 pm
Do you mean that an user who hypothetically has his ISP hacked would still get the "right" fix through automatic updates?
Probably not....but I believe these people have bigger issues than if Rainmeter updates.
I was responding to the advice that everyone turn off their automatic updates. If everyone turns it off, then never manually checks for an update, they won't get the fix. If you were one of the unfortunate who had malware installed, then I would bet that when Rainmeter updates, you will still get that "hacked" status file and get the malware package again. There is nothing we can do for that.
Brian wrote: ↑August 6th, 2024, 7:35 pm
Probably not....but I believe these people have bigger issues than if Rainmeter updates.
I was responding to the advice that everyone turn off their automatic updates. If everyone turns it off, then never manually checks for an update, they won't get the fix. If you were one of the unfortunate who had malware installed, then I would bet that when Rainmeter updates, you will still get that "hacked" status file and get the malware package again. There is nothing we can do for that.
-Brian
Indeed. Thanks for the clarification, much appreciated!
richlee91 wrote: ↑August 6th, 2024, 5:54 pm
Came here for the same reason. I was wondering what the plan was to mitigate. I see you have code signing, which should mitigate the MITM attack.
I did a little digging and this is what I found. I am not an expert at rainmeter and this is the first time I have looked at the repo.
Looks like it gets the status file with http:
Ah, then it downloads anything within status.json. The SHA is also contained in that file, so a bady would only have to build and host their own status.json and rainmeter clients would get their malicious update.
I looked back 13 years and it been the same since then so this does not appear to me to be malicious coding on the rainmeter side.
I would humbly suggest retrieving the status file with https and adding a check for the signature of the signed executables before installing.
This is not a theoretical attack it is known to be happening in the wild. In the meantime I would recommend everyone disable the check for updates and ensure that their current rainmeter install is using signed code. (right click on the all of the .exe and .dll files within the rainmeter directory and ensure they are signed as below)
Thanks for your attention to this issue.
Rich
I installed the latest update, but my .dll and .exe files don't have the signature you posted (Firebit OU). The 'name of signer' is 'Rainmeter Team' and the timestamp is 'not available.'
Also under 'digital signature information,' it says 'the certificate in the signature cannot be verified' and the signer information is also 'Rainmeter Team.' The certificate info indicates 'Windows does not have enough information to verify this certificate' and it says 'issued to: Rainmeter Team,' 'issued by: Rainmeter Team Root Certificate,' and 'Valid from 2/29/2024 to 2/26/2034.'
Can anyone confirm if that's all correct? It looks like all the files are from 8/8/24. I just installed this fix yesterday after the program prompted me and I checked the forum first.
EDIT: I downloaded the .exe file from the official site just to compare, but that one has a signature time stamp and verified certificate signed by 'SignPath Foundation.' I'm confused because when I clicked to update through the app, I got a prompt from Windows whether I wanted 'SignPath Foundation' Rainmeter to make changes (I figured that was the update package). Why are my 8/8/24 files signed by 'Rainmeter Team' instead? Was I not supposed to update via the application?
meloncake wrote: ↑August 22nd, 2024, 12:15 am
I installed the latest update, but my .dll and .exe files don't have the signature you posted (Firebit OU). The 'name of signer' is 'Rainmeter Team' and the timestamp is 'not available.'
Also under 'digital signature information,' it says 'the certificate in the signature cannot be verified' and the signer information is also 'Rainmeter Team.' The certificate info indicates 'Windows does not have enough information to verify this certificate' and it says 'issued to: Rainmeter Team,' 'issued by: Rainmeter Team Root Certificate,' and 'Valid from 2/29/2024 to 2/26/2034.'
Can anyone confirm if that's all correct? It looks like all the files are from 8/8/24. I just installed this fix yesterday after the program prompted me and I checked the forum first.
EDIT: I downloaded the .exe file from the official site just to compare, but that one has a signature time stamp and verified certificate signed by 'SignPath Foundation.' I'm confused because when I clicked to update through the app, I got a prompt from Windows whether I wanted 'SignPath Foundation' Rainmeter to make changes (I figured that was the update package). Why are my 8/8/24 files signed by 'Rainmeter Team' instead? Was I not supposed to update via the application?
Thanks for any help!
The way it works is that the "installer" .exe program is signed by SignPath Foundation. That is the application you download from the website and requires the most serious level of certification. The .exe and .dll files inside the installer, the ones that are actually installed on your computer, are self-signed by us, as they can be trusted since they came inside the very secure installer container. When Rainmeter is auto-updated by the application itself, you don't really see the "installer", but it is indeed used to deliver the application and install it. The SHA hash of the installer is checked before it is executed by the auto-update process.
So the long and the short of it is that yes, what you are seeing is correct.
The installer:
1.jpg
The internal program files:
2.jpg
The goal intended by "signing" the installer is to allow it to be safely downloaded. Hopefully and presumably from our website or WinGet, but really from anywhere. It allows the installer to be "trusted" by Microsoft Windows, which will require this trust in order to download and run without lots of barking and snarling. The internal application .exe and .dll files are not going to be downloaded, and don't require having to jump through these hoops. The self-signed certificate has the same effect of tying the files to our organization in a trusted way, just not using an external certificate issuing entity that is "trusted" by Microsoft.
You do not have the required permissions to view the files attached to this post.
jsmorley wrote: ↑August 22nd, 2024, 3:19 am
The way it works is that the "installer" .exe program is signed by SignPath Foundation. That is the application you download from the website and requires the most serious level of certification. The .exe and .dll files inside the installer, the ones that are actually installed on your computer, are self-signed by us, as they can be trusted since they came inside the very secure installer container. When Rainmeter is auto-updated by the application itself, you don't really see the "installer", but it is indeed used to deliver the application and install it. The SHA hash of the installer is checked before it is executed by the auto-update process.
So the long and the short of it is that yes, what you are seeing is correct.
The installer:
1.jpg
The internal program files:
2.jpg
The goal intended by "signing" the installer is to allow it to be safely downloaded. Hopefully and presumably from our website or WinGet, but really from anywhere. It allows the installer to be "trusted" by Microsoft Windows, which will require this trust in order to download and run without lots of barking and snarling. The internal application .exe and .dll files are not going to be downloaded, and don't require having to jump through these hoops. The self-signed certificate has the same effect of tying the files to our organization in a trusted way, just not using an external certificate issuing entity that is "trusted" by Microsoft.
Thank you for clarifying! That's basically how my files looked. This is probably a stupid question, but when you say downloading the installer from WinGet - is that the same thing as installing the update from within the Rainmeter application when prompted? Was that safe to do if my ISP wasn't hacked like the article described?
meloncake wrote: ↑August 22nd, 2024, 5:17 am
Thank you for clarifying! That's basically how my files looked. This is probably a stupid question, but when you say downloading the installer from WinGet - is that the same thing as installing the update from within the Rainmeter application when prompted? Was that safe to do if my ISP wasn't hacked like the article described?
Yes, WinGet is a Microsoft product, and is very secure. As far as I know, the only thing that was at any risk, and the risk was quite low, was the "auto-update" process in Rainmeter itself. That has since been corrected.
