Oculus Rift helmets did not work for almost a day due to an overdue code signature certificate.

On March 7, 2018, the owners of the Oculus Rift virtual reality helmets were in an extremely unpleasant situation. One day, their gadgets suddenly stopped working , giving the error "Can't Reach Oculus Runtime Service".


')
As it turned out, the problem arose due to the expiration of the certificate signing code for the OculusAppFramework.dll dynamic library, which is part of the Oculus Runtime Service. It just did not load. The file indicates the expiration date of the certificate:

Valid to: ‎Wednesday, ‎March ‎7, ‎2018 01:00:00 PM

In this case, the Oculus staff showed complete incompetence. The point is not even that they forgot to renew the certificate, but that the file was signed incorrectly . They neglected the control signature from the timestamping server. If they signed this signature, the files would be signed forever, because the signature from the timestamp server confirms the validity of the certificate at the time the file is signed, so that the date on the certificate can be not checked. But since Oculus neglected this signature, the library stopped loading at the moment when the certificate expired, that is, on 03/07/2018 at 01:00:00 PM.

Signature drivers became mandatory with the version of Windows 10 build 1607 . Unsigned drivers are simply not loaded, with some exceptions (for example, if the Secure Boot option is disabled or if the file is signed with a cross-certificate issued before July 29, 2015).

As the investigation showed, the signature from the time stamps server disappeared after the Oculus upgrade from version 1.22 to 1.23, which took place just over a month ago. The cause of the incident is not yet clear. There are versions that the signature could not be delivered during the automatic assembly, if at this moment in time the time stamp server was down.

The company released a patch within 24 hours replacing the OculusAppFramework.dll file in the system. To launch a patch in the Windows operating system, you need to disable the antivirus (in Windows Defender, just click the More info link and click the Run Anyway button). After installing the patch, the Oculus Runtime Service is updated from the server - and the helmet is working again.

The patch appeared on the morning of March 8th. That is because of this, without any understatement, the carelessness of the company's employees, all Oculus Rift helmets in the world have failed for almost a day. These are the consequences of one wrong code signing certificate.

Co-founder Neith Mitchell made a public apology and promised to distribute loans to all victims in the Oculus Store in the amount of $ 15.


At first, loans were distributed only to those who specifically apply for them. The fact is that VR helmets were still loaded in Oculus Home mode, where you can perform some actions. So not all users were formally affected. But later it was reported that within seven days credits should be credited to everyone who installed the update.

What conclusions can be drawn from this story?

Thousands of users have been affected. Due to its own oversight, the company itself suffered damage if it actually charged $ 15 of the credit to a significant part of the Oculus Rift users. The company was lucky that it did not receive lawsuits from large customers - because Oculus’s VR systems are also used in the corporate sector: for example, for presentations, promotions, etc. One client said that on March 6 their company held a large presentation for large brand. If the problem with the certificate happened a day earlier, the event would have to be canceled.

Another victim said that their startup had been developing software for training surgeons in the VR environment for several months. Last week, they were preparing to give a presentation at a large medical conference, but the Oculus Rift helmets failed in the morning on the day of the conference . Fortunately, one company programmer quickly figured out the problem - and found out that you can run the program if you roll back the Windows system clock a couple of days ago.

The only expired certificate could result in more serious financial losses for Oculus than $ 15 of a loan for all affected users. It can be imagined that VR helmets and other IoT devices will spread everywhere. For example, they will use it in real surgical operations - and then suddenly everyone will simultaneously fail at one moment due to a similar software error.

Inattention with the validity period of the code signature certificate is entirely the fault of Oculus, and no one else. If you forget to attach a signature from the time stamp server, the signed files are actually turned into a “time bomb”, which will explode as soon as the certificate expires. For example, GlobalSign issues code signing certificates for 1, 2 and 3 years.

Someone may ask why install this “time bomb” in their software at all, that is, why sign the code. But there is no other way out: this is the requirement of Microsoft for certain categories of files. If the executable code under Windows is signed, then almost at any time you can "ban" its execution on all computers. This is a trade-off between freedom and security. In this case, the choice is made in favor of security. So the blame for such incidents in some sense lies with Microsoft, which created a “single point of failure” to protect against code injection.

It can be assumed that in the future such incidents will occur more and more often, because verification of the code signature becomes more thorough due to security threats, and also because operating system developers want to get a percentage of the profits from the sale of programs through proprietary program catalogs - and are pushing all developers to sign code. For Microsoft, this is a potential source of billions of dollars in additional revenue that it was previously deprived of.

Oculus is not distributed through the Windows Store and Microsoft does not pay 30% of deductions (at least for now). But for system drivers, it is obliged to implement a code signature to protect against injection and guarantee the safety of the original files. Although in the end, Microsoft certainly expects to attract and Oculus, and all other developers in its Windows Store.

One way or another, but the developers have almost no way out. It is necessary to use certificates. But at the same time, one must be careful to avoid such incidents as that of the Oculus.

---