How to Fix the Microsoft CVE-2013-3900 Vulnerability

Written By Stephane Larue

In December 2024, a critical vulnerability known as CVE-2013-3900 was identified in Microsoft systems. This vulnerability affects the WinVerifyTrust function, which is responsible for signature validation. To mitigate this issue, you need to modify the Windows registry to enable certificate padding checks. Below is a step-by-step guide to help you resolve this vulnerability.

Step-by-Step Procedure

1. Open Registry Editor

To begin, you need to access the Registry Editor:

  • Press Win + R, type regedit, and press Enter.

2. Navigate to the Appropriate Path

Depending on your system architecture, navigate to one of the following paths:

  • For 64-bit systems: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config

  • For 32-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config

3. Create the Necessary Keys

If the Config key does not exist, you need to create it:

  • Right-click on Wintrust (or Wow6432Node\Wintrust for 32-bit systems) and select New > Key.

  • Name the new key Config.

4. Add the Registry Value

Next, add the required registry value:

  • Right-click on the Config key, select New > DWORD (32-bit) Value, and name it EnableCertPaddingCheck.

  • Set the value of EnableCertPaddingCheck to 1.

5. Restart Your Computer

To ensure the changes take effect, restart your computer.

Automating the Process with a .reg File

Alternatively, you can automate this process by creating a .reg file:

  1. Create a new text file and paste the following content:

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
"EnableCertPaddingCheck"=dword:00000001

  2. Save the file with a .reg extension (e.g., EnableCertPaddingCheck.reg).

  3. Double-click the .reg file and confirm the prompts to add the entries to the registry.

  4. Restart your computer.

Conclusion

By following these steps, you can effectively mitigate the CVE-2013-3900 vulnerability in your Microsoft system. Ensuring your system is protected against such vulnerabilities is crucial for maintaining security and integrity.

For more detailed information, you can refer to the following resources:

  • CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

  • Resolving Microsoft WinTrust Verify Vulnerability Through GPO

  • CVE-2013-3900: Authenticode Signature Verification - Certificate Padding

Stephane Larue
Previous

Tips on Container Security
Next

4 Security Ideas for 2025